PIX ipsec client vpn, how to create access-lists for multiple vpn groups

Discussion in 'Cisco' started by Mephesto, Jun 9, 2005.

  1. Mephesto

    Mephesto Guest

    Hi,

    i've read more topics on this issue but i'm still not sure yet about
    how to do this.

    I have a pix 525 and i want several vpn client groups to use different
    access-lists.

    how to i "bind" the 2 access-lists to the vpn client traffic without
    affecting other traffic? in my eyes i can only give the command: "nat
    (inside) 0 access-list nonat" once. So how do i make sure the 2nd
    accesslist that is configured to block certain access for the 2nd vpn
    pool will be used?

    hope you can help, thnx.
     
    Mephesto, Jun 9, 2005
    #1
    1. Advertisements

  2. You are probably making the common mistake and using the same
    access-list in vpngroup and nat 0, like

    access-list ACL permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0
    nat (inside) 0 access-list ACL
    vpngroup NAME split-tunnel ACL

    That is solved by making them different

    access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
    access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    access-list ACL1 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
    access-list ACL2 permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    nat (inside) 0 access-list NONAT
    vpngroup NAME1 split-tunnel ACL1
    vpngroup NAME2 split-tunnel ACL2
     
    Jyri Korhonen, Jun 9, 2005
    #2
    1. Advertisements

  3. Mephesto

    Mephesto Guest

    ok thats clear. I thought split-tunnel was only to allow local access
    to resources for clients who connect, but apparanty its used for
    creatings acls :p
     
    Mephesto, Jun 9, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.