PIX VPN with ACL for users

[shihlin]

Hey I have question about adding ACL to VPN clients. Currently I have Cisco PIX 515E (ASDM5.0) setup with VPN server. It authenticates users by accessing the TACACS server from inside network. However, I don’t know where to add the ACL for that user after it login. For example I would like to deny vpnusera (in TACACS) to access 10.1.1.x network but allow him to access 10.2.2.x. Should I done the ACL policy on tacacs or done on PIX firewall itself?


Many thanks,


SL

 

[vlf]

I'd do it on my PIX. If you're giving access to the users in a crypto or nat access-list, the easiest place is to do it there.

 

[shihlin]

Thanks for promptly reply. But my problem is user login name / password is authenticating against TACAS. Pix had no ideal of login information. Well PIX authenticate both the TACACS, and its own local database? Thanks for the reply…



SL