PIX ipsec client vpn, how to create access-lists for multiple vpn groups

Discussion in 'Cisco' started by Mephesto, Jun 9, 2005.

  1. Mephesto

    Mephesto Guest

    Hi,

    i've read more topics on this issue but i'm still not sure yet about
    how to do this.

    I have a pix 525 and i want several vpn client groups to use different
    access-lists.

    how to i "bind" the 2 access-lists to the vpn client traffic without
    affecting other traffic? in my eyes i can only give the command: "nat
    (inside) 0 access-list nonat" once. So how do i make sure the 2nd
    accesslist that is configured to block certain access for the 2nd vpn
    pool will be used?

    hope you can help, thnx.
     
    Mephesto, Jun 9, 2005
    #1
    1. Advertising

  2. "Mephesto" <> wrote:

    > I have a pix 525 and i want several vpn client groups to use different
    > access-lists.
    >
    > how to i "bind" the 2 access-lists to the vpn client traffic without
    > affecting other traffic? in my eyes i can only give the command:
    >
    > nat (inside) 0 access-list nonat
    >
    > once. So how do i make sure the 2nd accesslist that is configured to
    > block certain access for the 2nd vpn pool will be used?


    You are probably making the common mistake and using the same
    access-list in vpngroup and nat 0, like

    access-list ACL permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0
    nat (inside) 0 access-list ACL
    vpngroup NAME split-tunnel ACL

    That is solved by making them different

    access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
    access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    access-list ACL1 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
    access-list ACL2 permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    nat (inside) 0 access-list NONAT
    vpngroup NAME1 split-tunnel ACL1
    vpngroup NAME2 split-tunnel ACL2
     
    Jyri Korhonen, Jun 9, 2005
    #2
    1. Advertising

  3. Mephesto

    Mephesto Guest

    ok thats clear. I thought split-tunnel was only to allow local access
    to resources for clients who connect, but apparanty its used for
    creatings acls :p
     
    Mephesto, Jun 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain
    Replies:
    4
    Views:
    575
    John Rennie
    May 10, 2004
  2. Brian P.

    Access lists for VPN Client

    Brian P., Mar 15, 2005, in forum: Cisco
    Replies:
    3
    Views:
    442
    Martin Bilgrav
    Mar 16, 2005
  3. AM
    Replies:
    1
    Views:
    514
    Walter Roberson
    Dec 21, 2005
  4. BF
    Replies:
    2
    Views:
    802
  5. Giuen
    Replies:
    0
    Views:
    1,429
    Giuen
    Sep 12, 2008
Loading...

Share This Page