PIX ipsec client vpn, how to create access-lists for multiple vpn groups

Hi,

i've read more topics on this issue but i'm still not sure yet about how to do this.

I have a pix 525 and i want several vpn client groups to use different access-lists.

how to i "bind" the 2 access-lists to the vpn client traffic without affecting other traffic? in my eyes i can only give the command: "nat (inside) 0 access-list nonat" once. So how do i make sure the 2nd accesslist that is configured to block certain access for the 2nd vpn pool will be used?

hope you can help, thnx.

Reply to
Mephesto
Loading thread data ...

You are probably making the common mistake and using the same access-list in vpngroup and nat 0, like

access-list ACL permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 nat (inside) 0 access-list ACL vpngroup NAME split-tunnel ACL

That is solved by making them different

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0 access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0 access-list ACL1 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0 access-list ACL2 permit ip 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0 nat (inside) 0 access-list NONAT vpngroup NAME1 split-tunnel ACL1 vpngroup NAME2 split-tunnel ACL2

Reply to
Jyri Korhonen

ok thats clear. I thought split-tunnel was only to allow local access to resources for clients who connect, but apparanty its used for creatings acls :-P

Reply to
Mephesto

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.