But if i created that rule than access to all resources into Internet will be! I want for users only access to www plus access to remote VPN- LAN!

Sorry, maybe I have misunderstood your question; you are trying to control access to www for you inside users yes/no? And also you are having problems with your VPN connection to remote site yes/no?

If yes to the above questions then can please post your pix config (remember to take out any sensitive info) and we will have a look.

Thanks

Jay

Yes, right.

Here my config-

pixfirewall# sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

.....

access-list vpn_outside permit ip any 172.20.20.0 255.255.255.252

access-list vpn_outside permit ip any 172.20.21.0 255.255.255.248

access-list vpn_outside permit ip any 172.20.22.0 255.255.255.248

access-list vpn_outside permit ip 172.0.0.0 255.0.0.0 10.10.0.0 255.255.0.0

access-list vpn_outside permit ip 172.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.0.0.0 255.0.0.0 10.10.0.0 255.255.0.0

access-list outside_cryptomap_40 permit ip 172.0.0.0 255.0.0.0 10.10.0.0 255.255.0.0

access-list outside_cryptomap_50 permit ip 172.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0

access-list 100 permit tcp any any eq www log

access-list 100 permit ip any any

...........

ip address outside A.B.C.D 255.255.255.0

ip address inside 172.20.4.1 255.255.0.0

......

global (outside) 1 interface

nat (inside) 0 access-list vpn_outside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 router 1

access-group 100 in interface inside

....

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set VPN esp-des esp-md5-hmac

crypto ipsec transform-set C1603 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map MINSK 20 ipsec-isakmp

crypto map MINSK 20 match address outside_cryptomap_20

crypto map MINSK 20 set peer C.D.E.F

crypto map MINSK 20 set transform-set VPN

crypto map MINSK 40 ipsec-isakmp

crypto map MINSK 40 match address outside_cryptomap_40

crypto map MINSK 40 set peer C.D.E.F

crypto map MINSK 40 set transform-set VPN

crypto map MINSK 50 ipsec-isakmp

crypto map MINSK 50 match address outside_cryptomap_50

crypto map MINSK 50 set peer A.B.C.111

crypto map MINSK 50 set transform-set C1603

crypto map MINSK client authentication LOCAL

crypto map MINSK interface outside

isakmp enable outside

isakmp key ******** address C.D.E.F netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address A.B.C.111 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

================================

Thanks!

You need to have your access-list 100 look like this:

access-list 100 permit ip 172.0.0.0 255.0.0.0 10.10.0.0 255.255.0.0

access-list 100 permit ip 172.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0

access-list 100 permit tcp any any eq http log

The problem is that the access-group applied to the inside interface determines what is allowed out, period. It simply looks as the source/destination pairs and protocols and if there is no match drops the traffic. Without the first two lines above the traffic is simply dropped before it even gets to the crypto engine to be passed over the tunnel because all you were letting out was http. There has to be 'holes' punched so this traffic can pass the internal interface and be sent over the logical tunnels...

Thank you! It's worked!