PIX VPN security setup: certain vpn clients to access only certain servers
Posted on 2006-05-04
I would like to know the best way to allow a remote client access to a server on our intranet, via a pix firewall vpn appliance, while locking them out from all the other servers/clients except the one. The server of interest needs to talk to our internal database servers and am looking first at options that would keep it in place on the inside and try to secure access to it via vpn. Existing vpn users should have access, existing network users would have access, but new vpn user accounts (or perhaps vpn users from a source ip of xx.xx.xx.) would have access to ONLY that server.
Internet Router (126.96.36.199)--DMZ(188.8.131.52)--PIX Version 6.3(184.108.40.206) outside----pix inside 172.16.1.5/16--internal lan (intranet web server 172.16.1.7, database/mail servers172.16.2.8, private addresses clients 172.16.100.xxx)
When VPN users come in already, they are assigned an address from a secondary ip pool by the pix of 192.168.1.x/24 and have access to everything,
I want someone on the internet to vpn into the network, and perhps be assigned to an ip subnet that the web server of interst is also on - that prevents the remote client from accessing other servers/lan clients but still allows all clients on the inside to access the web server as well.
any ideas on how to implement security for this purpose?
thanx in advance, please let me know what additional info you need I have limited available but will do my best.