[nsp] PIX OS 6.3 and VPN/VPDN

info at beprojects.com info at beprojects.com
Mon Jul 12 18:10:47 EDT 2004


Explicitly define your internal networks on the no-nat and vpnpools acl's,
don't use "any".

Also, on a side note, if you have nat (inside) 1, do not use 0.0.0.0
0.0.0.0.  It is just a bad idea.  Explicitly state the networks.  I don't
see those lines in your config, it is just an FYI (I know Cisco's docs say
to do that, but it is wrong and a bad idea.  Think virus with spoofed source
addresses).


----- Original Message ----- 
From: "Tony Mucker" <Tony at tonymucker.com>
To: <info at beprojects.com>; <cisco-nsp at puck.nether.net>
Sent: Monday, July 12, 2004 4:52 PM
Subject: Re: [nsp] PIX OS 6.3 and VPN/VPDN


> I just gave this idea a shot (thanks!).  I was able to ping the internet
> at large, but wasn't able to get anything on the VPN side (DNS/WINS
> servers included).  Here are my relevant configs:
>
> vpngroup vpnclientgroup address-pool vpnclient
> vpngroup vpnclientgroup dns-server 172.16.0.33 172.16.0.32
> vpngroup vpnclientgroup wins-server 172.16.0.33
> vpngroup vpnclientgroup default-domain ********
> vpngroup vpnclientgroup split-tunnel vpnpools
> vpngroup vpnclientgroup idle-time 1800
> vpngroup vpnclientgroup password ********
>
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
> vpdn group PPTP-VPDN-GROUP ppp authentication pap
> vpdn group PPTP-VPDN-GROUP ppp authentication chap
> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
> vpdn group PPTP-VPDN-GROUP client configuration address local pptp
> vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.0.33
172.16.0.32
> vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.0.33
> vpdn group PPTP-VPDN-GROUP client authentication aaa masterbdc
> vpdn group PPTP-VPDN-GROUP client accounting masterbdc
> vpdn group PPTP-VPDN-GROUP pptp echo 60
> vpdn enable outside
>
>
> access-list no-nat-inside permit ip any 172.16.100.0 255.255.255.0
> access-list no-nat-inside permit ip any 172.16.110.0 255.255.255.0
> access-list vpnpools permit ip 172.16.100.0 255.255.255.0 any
> access-list vpnpools permit ip 172.16.110.0 255.255.255.0 any
> ip local pool pptp 172.16.100.1-172.16.100.254
> ip local pool vpnclient 172.16.110.1-172.16.110.254
> nat (inside) 0 access-list no-nat-inside
>
> Any clues as to what I'm doing wrong?
>
> Also, is there something similar to split-tunnels for the VPDN (PPTP?)
>
> Thanks
> Tony
>
> info at beprojects.com wrote:
>
> >You need to setup split tunneling and the policy will be pushed to the
users
> >when they connect.  Anything that matches the split tunnel acl will go
> >through the VPN.  ANything else will go directly out to the internet.
There
> >is no way to force Internet traffic through the pix and back out
(althought
> >I don't think you really want this any way, I just thought I would let
you
> >know).
> >
> >Say you have the following setup:
> >
> >vpnpool = 192.168.3.x
> >internal networks= 192.168.1.x and 192.168.2.x
> >
> >
> >Try something like this:
> >
> >access-list VPNUSER permit ip 192.168.1.0 255.255.255.0 192.168.3.0
> >255.255.255.0
> >access-list VPNUSER permit ip 192.168.2.0 255.255.255.0 192.168.3.0
> >255.255.255.0
> >
> >vpngroup BLAH split-tunnel VPNUSER
> >
> >
> >
> >
> >
> >>1)  How do I set up the VPN configs to allow them access to the outside
> >>world while VPN'd in?  Is this something handled on the client side?
> >>
> >>2) Is it possible for the client/PIX to send all traffic not destined
> >>for the internal side through the client's LAN gateway?  I only have a
> >>T1, and it's already abused as it is.
> >>
> >>Thanks again
> >>Tony
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >>
> >
> >
> >
>
>



More information about the cisco-nsp mailing list