PIX VPN security setup: certain vpn clients to access only certain servers

Posted on 2006-05-04
Last Modified: 2013-11-16
I would like to know the best way to allow a remote client access to a server on our intranet, via a pix firewall vpn appliance, while locking them out from all the other servers/clients except the one. The server of interest needs to talk to our internal database servers and am looking first at options that would keep it in place on the inside and try to secure access to it via vpn. Existing vpn users should have access, existing network users would have access, but new vpn user accounts (or perhaps vpn users from a source ip of xx.xx.xx.) would have access to ONLY that server.

Internet Router ( Version 6.3( outside----pix inside lan (intranet web server, database/mail servers172.16.2.8, private addresses clients

When VPN users come in already, they are assigned an address from a secondary ip pool by the pix of 192.168.1.x/24 and have access to everything,

I want someone on the internet to vpn into the network, and perhps be assigned to an ip subnet that the web server of interst is also on - that prevents the remote client from accessing other servers/lan clients but still allows all clients on the inside to access the web server as well.

any ideas on how to implement security for this purpose?

thanx in advance, please let me know what additional info you need I have limited available but will do my best.

Question by:pixel3000
    1 Comment
    LVL 9

    Accepted Solution

    The only way and the quickest way to do this that I know of would be to create another pool of IP, create another VPNgroup and then add an entry to an existing NAT 0 ACL allowing the traffic.

    In the example below, there is two vpngroup; vpn_old have access to everything while vpn_new has access to only

    ip local pool ippool1
    ip local pool ippool2

    access-list 100 permit ip
    access-list 100 permit ip host

    nat (inside) 0 access-list 100

    vpngroup vpn_old address-pool ippool1
    vpngroup vpn_old idle-time 1800
    vpngroup vpn_old password ********

    vpngroup vpn_new address-pool ippool2
    vpngroup vpn_new idle-time 1800
    vpngroup vpn_new password ********

    Another way to do it, is using downloadable ACL, wherein you configure  a set of access-rules that are dynamically downloaded on a per user/group basis. Its a more complicated way of doing it but scalable. I wouldn't recommend it if you have less than 50 VPN users.


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now