[c-nsp] cisco-nsp(PIX - access-list for pptp)
dennis usle
dusle at comcast.net
Mon Sep 18 16:50:13 EDT 2006
The problem is likely that you have enabled "sysopt connection permit-pptp"
When enabled, anything through that tunnel PPTP tunnel is permitted. To
work around this you can remove the command ("no sysopt connectin
permit-pptp") and permit the traffic you require, including the inbound GRE
and tcp1723 traffic required to terminate the vpn on your pix. Check out
this link, it describes your problem pretty well.
http://lists.shmoo.com/pipermail/vpn/2003-May/004173.html
Dennis
----- Original Message -----
From: <cisco-nsp-request at puck.nether.net>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, September 18, 2006 12:00 PM
Subject: cisco-nsp Digest, Vol 46, Issue 62
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
> 1. Re: ospf capability vrf-lite (Thomas Braun)
> 2. PIX - access-list for pptp (Sam Cao)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 18 Sep 2006 16:56:42 +0200
> From: Thomas Braun <tb at westend.com>
> Subject: Re: [c-nsp] ospf capability vrf-lite
> To: Liviu Pislaru <leev at rdsnet.ro>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <450EB3AA.6020408 at westend.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
>> This command (capability vrf-lite) exist on ME-3750 but you must have at
>> list
>> IOS 12.2(25)EY. Maybe you have at this moment IOS 12.1(..)AX;
> Ah, thanks,
>
> The command is also in 12.2(25)SEG1.
>
> Thanks
> Thomas
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 18 Sep 2006 10:48:20 -0500
> From: "Sam Cao" <scao at verio.net>
> Subject: [c-nsp] PIX - access-list for pptp
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <001701c6db39$ddf29800$332efc0a at IBMT40>
> Content-Type: text/plain; charset="us-ascii"
>
>
>> I have configured PIX (ver 6.3) to terminate pptp
>> connections, I'd like to manage what the pptp client can
>> access to the internal network, but unsuccessful to implement.
>>
>> ip address inside 10.10.110.1 255.255.255.0
>> !
>> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254
>> !
>> vpdn group 1 accept dialin pptp
>> vpdn group 1 ppp authentication mschap
>> vpdn group 1 ppp encryption mppe 128 required
>> vpdn group 1 client configuration address local remote-addr-pool
>> vpdn group 1 client configuration dns 10.10.110.3
>> vpdn group 1 client authentication aaa RADIUS
>> vpdn group 1 pptp echo 60
>> !
>>
>> I want the pptp clients with ip 10.10.111.0/24 only be able
>> to access some hosts on inside interface 10.10.110.0/24 (i.e.
>> only allow to access hosts 10.10.110.2 and 10.10.110.3 or
>> 10.10.110.0/28).
>>
>> I tried access-list in on outside interface, it seems
>> wouldn't filter as the packet was encapsulated,
>> I tried access-list in on inside interface, it seems only
>> stop traffic initiated from inside,
>>
>> Is there a way to do it?
>>
>> Sam,
>>
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
>
> End of cisco-nsp Digest, Vol 46, Issue 62
> *****************************************
>
More information about the cisco-nsp
mailing list