03-21-2007 07:33 AM - edited 02-21-2020 02:56 PM
Does anyone know if there is a way to restrict a user to access only a certain number of IP's through PIX when he/she is connecting through a VPN connection setup on the PIX itself ?
03-21-2007 04:10 PM
You need to configure split tunneling for this. Only the ip address defined in split tunnel ACL will be accessible by the vpn client.
E.G. You want to restrict the clients to access an inside server only, say 192.168.1.1, and the client pool is 10.1.1.1-10.1.1.10.
Create an ACL :
access-list split permit ip host 192.168.1.1 10.1.1.0 255.255.255.0
vpngroup
That should do it. To read more about split tunnel :
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1099471
*Please rate if it helped.
-Kanishka
03-22-2007 05:44 AM
You can also remove the "sysopt connection permit-ipsec" line, and define an inbound ACL to your outside interface.
In that ACL, filter out the traffic from the source IP address (client pool)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide