[c-nsp] PIX - access-list for pptp
Sam Cao
scao at verio.net
Mon Sep 18 11:48:20 EDT 2006
> I have configured PIX (ver 6.3) to terminate pptp
> connections, I'd like to manage what the pptp client can
> access to the internal network, but unsuccessful to implement.
>
> ip address inside 10.10.110.1 255.255.255.0
> !
> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254
> !
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 128 required
> vpdn group 1 client configuration address local remote-addr-pool
> vpdn group 1 client configuration dns 10.10.110.3
> vpdn group 1 client authentication aaa RADIUS
> vpdn group 1 pptp echo 60
> !
>
> I want the pptp clients with ip 10.10.111.0/24 only be able
> to access some hosts on inside interface 10.10.110.0/24 (i.e.
> only allow to access hosts 10.10.110.2 and 10.10.110.3 or
> 10.10.110.0/28).
>
> I tried access-list in on outside interface, it seems
> wouldn't filter as the packet was encapsulated,
> I tried access-list in on inside interface, it seems only
> stop traffic initiated from inside,
>
> Is there a way to do it?
>
> Sam,
>
More information about the cisco-nsp
mailing list