[c-nsp] PIX - access-list for pptp
Andrew Yourtchenko
ayourtch at gmail.com
Tue Sep 19 07:03:06 EDT 2006
To be exact, the fixup pptp is not to allow the pptp to come *to* the
PIX, this is to allow the PPTP to go *through* the PIX - so it does
not belong to this setup.
What I believe should help is giving to the users
downloadable/per-user ACLs from RADIUS, and the access-group on the
"outside" interface (the one terminating the PPTP) having the
"per-user-override" keyword.
And pay attention to the "sysopt connection permit-pptp" - it
configures all the PPTP-decapsulated traffic to get in without the
check on the inbound interface ACL.
ACL on the inside would not help since the connection is originated on
the outside - so the return packets do not hit the ACL as they hit the
already established connection.
thanks,
andrew
On 9/19/06, Sam Cao <scao at verio.net> wrote:
>
>
> > -----Original Message-----
> > From: Eric Helm [mailto:helmwork at ruraltel.net]
> > Sent: Monday, September 18, 2006 11:05 AM
> > To: scao at verio.net
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] PIX - access-list for pptp
> >
> >
> > fixup protocol pptp 1723 is usually required.
> >
> This is to allow pptp come in, my problem is to control what remote pptp
> user can or can't access to the hosts on inside interface,
>
> Sam,
>
> > /Eric
> >
> > Sam Cao wrote:
> > >> I have configured PIX (ver 6.3) to terminate pptp
> > >> connections, I'd like to manage what the pptp client can
> > >> access to the internal network, but unsuccessful to implement.
> > >>
> > >> ip address inside 10.10.110.1 255.255.255.0
> > >> !
> > >> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254
> > >> !
> > >> vpdn group 1 accept dialin pptp
> > >> vpdn group 1 ppp authentication mschap
> > >> vpdn group 1 ppp encryption mppe 128 required
> > >> vpdn group 1 client configuration address local
> > remote-addr-pool vpdn
> > >> group 1 client configuration dns 10.10.110.3 vpdn group 1 client
> > >> authentication aaa RADIUS vpdn group 1 pptp echo 60
> > >> !
> > >>
> > >> I want the pptp clients with ip 10.10.111.0/24 only be able
> > >> to access some hosts on inside interface 10.10.110.0/24 (i.e.
> > >> only allow to access hosts 10.10.110.2 and 10.10.110.3 or
> > >> 10.10.110.0/28).
> > >>
> > >> I tried access-list in on outside interface, it seems
> > >> wouldn't filter as the packet was encapsulated,
> > >> I tried access-list in on inside interface, it seems only
> > >> stop traffic initiated from inside,
> > >>
> > >> Is there a way to do it?
> > >>
> > >> Sam,
> > >>
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list