01-01-2004 07:55 PM - edited 02-21-2020 12:58 PM
Hi there,
I got a PIX 501 implemented with IPSec VPN. Our customer would like to grand access control for different VPN users. They would allow a group of users to access DB server, while the other VPN users cannot access. May I ask that is there any method to achieve this goal?
thanks a lot
David
01-01-2004 11:57 PM
You can do it as follows:
Make two separate local ip pools.
Add the statements allowing one pool for DB servers and the other denying to DB servers to access-list which is applied to outside interface.
Also remove sysopt statement.
no sysopt connection permit-ipsec
Regards,
01-04-2004 08:08 AM
If you're using user authentication via RADIUS/TACACS+, you can use a single VPN group and IP pool and hand out an ACL per-user at the time of authentication.
If you're only using group name/password for VPN access, you'll need to use separate IP pools w/o the use of permit-ipsec as referenced by the other poster. Note that means you'll also need to create entries in your outside ACL for all traffic that should be allowed in from all VPN tunnels.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide