[c-nsp] PIX - access-list for pptp

Sam Cao scao at verio.net
Mon Sep 18 20:37:28 EDT 2006



> -----Original Message-----
> From: Eric Helm [mailto:helmwork at ruraltel.net] 
> Sent: Monday, September 18, 2006 11:05 AM
> To: scao at verio.net
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX - access-list for pptp
> 
> 
> fixup protocol pptp 1723 is usually required.
> 
This is to allow pptp come in, my problem is to control what remote pptp
user can or can't access to the hosts on inside interface,

Sam,

> /Eric
> 
> Sam Cao wrote:
> >> I have configured PIX (ver 6.3) to terminate pptp
> >> connections, I'd like to manage what the pptp client can 
> >> access to the internal network, but unsuccessful to implement.
> >>
> >> ip address inside 10.10.110.1 255.255.255.0
> >> !
> >> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254
> >> !
> >> vpdn group 1 accept dialin pptp
> >> vpdn group 1 ppp authentication mschap
> >> vpdn group 1 ppp encryption mppe 128 required
> >> vpdn group 1 client configuration address local 
> remote-addr-pool vpdn 
> >> group 1 client configuration dns 10.10.110.3 vpdn group 1 client 
> >> authentication aaa RADIUS vpdn group 1 pptp echo 60
> >> !
> >>
> >> I want the pptp clients with ip 10.10.111.0/24 only be able
> >> to access some hosts on inside interface 10.10.110.0/24 (i.e. 
> >> only allow to access hosts 10.10.110.2 and 10.10.110.3 or 
> >> 10.10.110.0/28).
> >>
> >> I tried access-list in on outside interface, it seems
> >> wouldn't filter as the packet was encapsulated,
> >> I tried access-list in on inside interface, it seems only 
> >> stop traffic initiated from inside,
> >>
> >> Is there a way to do it?
> >>
> >> Sam,
> >>
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 



More information about the cisco-nsp mailing list