• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 193
  • Last Modified:

PIX VPN security setup: certain vpn clients to access only certain servers

I would like to know the best way to allow a remote client access to a server on our intranet, via a pix firewall vpn appliance, while locking them out from all the other servers/clients except the one. The server of interest needs to talk to our internal database servers and am looking first at options that would keep it in place on the inside and try to secure access to it via vpn. Existing vpn users should have access, existing network users would have access, but new vpn user accounts (or perhaps vpn users from a source ip of xx.xx.xx.) would have access to ONLY that server.

Internet Router ( Version 6.3( outside----pix inside lan (intranet web server, database/mail servers172.16.2.8, private addresses clients 172.16.100.xxx)

When VPN users come in already, they are assigned an address from a secondary ip pool by the pix of 192.168.1.x/24 and have access to everything,

I want someone on the internet to vpn into the network, and perhps be assigned to an ip subnet that the web server of interst is also on - that prevents the remote client from accessing other servers/lan clients but still allows all clients on the inside to access the web server as well.

any ideas on how to implement security for this purpose?

thanx in advance, please let me know what additional info you need I have limited available but will do my best.

1 Solution
The only way and the quickest way to do this that I know of would be to create another pool of IP, create another VPNgroup and then add an entry to an existing NAT 0 ACL allowing the traffic.

In the example below, there is two vpngroup; vpn_old have access to everything while vpn_new has access to only

ip local pool ippool1
ip local pool ippool2

access-list 100 permit ip
access-list 100 permit ip host

nat (inside) 0 access-list 100

vpngroup vpn_old address-pool ippool1
vpngroup vpn_old idle-time 1800
vpngroup vpn_old password ********

vpngroup vpn_new address-pool ippool2
vpngroup vpn_new idle-time 1800
vpngroup vpn_new password ********

Another way to do it, is using downloadable ACL, wherein you configure  a set of access-rules that are dynamically downloaded on a per user/group basis. Its a more complicated way of doing it but scalable. I wouldn't recommend it if you have less than 50 VPN users.


Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now