• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

PIX Hardware Question

I have several VPN users on my PIX515.  Some are allowed to connect to the 192.168.10.x range and others only the 192.168.11.x range.

So my question is this, I have an access list set up for the 10 range that looks like this:

access-list 102 permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0

BUT!  I want to add another user, and I don't want him to have access to the WHOLE 11 range, just one machine (i.e. 192.168.11.11).  Am I correct in guessing that the only way to do this is to create a new access list along the lines of

access-list 103 permit ip host 192.168.11.11 192.168.2.0 255.255.255.0

and assign just him to it?   I was hoping it might be easier, but I can't think of another way to do it.

Thanks anyone!
0
dougp23
Asked:
dougp23
1 Solution
 
batry_boyCommented:
You could set up a split tunnel configuration for the one user that only tunnels traffic for the one IP address you want him to access.  For example:

access-list splitTunnelAcl permit ip 192.168.11.11 255.255.255.255 any
vpngroup restricted_user split-tunnel splitTunnelAcl

Of course, you would also need the other "vpngroup" commands for this new VPN group, but you could copy your current values into statements for this new group.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now