PIX Hardware Question

I have several VPN users on my PIX515.  Some are allowed to connect to the 192.168.10.x range and others only the 192.168.11.x range.

So my question is this, I have an access list set up for the 10 range that looks like this:

access-list 102 permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0

BUT!  I want to add another user, and I don't want him to have access to the WHOLE 11 range, just one machine (i.e. 192.168.11.11).  Am I correct in guessing that the only way to do this is to create a new access list along the lines of

access-list 103 permit ip host 192.168.11.11 192.168.2.0 255.255.255.0

and assign just him to it?   I was hoping it might be easier, but I can't think of another way to do it.

Thanks anyone!
LVL 1
dougp23Asked:
Who is Participating?
 
batry_boyConnect With a Mentor Commented:
You could set up a split tunnel configuration for the one user that only tunnels traffic for the one IP address you want him to access.  For example:

access-list splitTunnelAcl permit ip 192.168.11.11 255.255.255.255 any
vpngroup restricted_user split-tunnel splitTunnelAcl

Of course, you would also need the other "vpngroup" commands for this new VPN group, but you could copy your current values into statements for this new group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.