[c-nsp] PIX - access-list for pptp
Eric Helm
helmwork at ruraltel.net
Mon Sep 18 12:04:59 EDT 2006
fixup protocol pptp 1723 is usually required.
/Eric
Sam Cao wrote:
>> I have configured PIX (ver 6.3) to terminate pptp
>> connections, I'd like to manage what the pptp client can
>> access to the internal network, but unsuccessful to implement.
>>
>> ip address inside 10.10.110.1 255.255.255.0
>> !
>> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254
>> !
>> vpdn group 1 accept dialin pptp
>> vpdn group 1 ppp authentication mschap
>> vpdn group 1 ppp encryption mppe 128 required
>> vpdn group 1 client configuration address local remote-addr-pool
>> vpdn group 1 client configuration dns 10.10.110.3
>> vpdn group 1 client authentication aaa RADIUS
>> vpdn group 1 pptp echo 60
>> !
>>
>> I want the pptp clients with ip 10.10.111.0/24 only be able
>> to access some hosts on inside interface 10.10.110.0/24 (i.e.
>> only allow to access hosts 10.10.110.2 and 10.10.110.3 or
>> 10.10.110.0/28).
>>
>> I tried access-list in on outside interface, it seems
>> wouldn't filter as the packet was encapsulated,
>> I tried access-list in on inside interface, it seems only
>> stop traffic initiated from inside,
>>
>> Is there a way to do it?
>>
>> Sam,
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list