[c-nsp] PIX - access-list for pptp
Sam Cao
scao at verio.net
Tue Sep 19 18:24:43 EDT 2006
Thanks Andrew,
The filter on outside interface worked after I removed "sysopt connection
permit-pptp",
I do like to play with downloadable ACL, I use Microsoft IAS as RADIUS
server, any configuration example will be appreciated,
Sam,
> -----Original Message-----
> From: Andrew Yourtchenko [mailto:ayourtch at gmail.com]
> Sent: Tuesday, September 19, 2006 6:03 AM
> To: scao at verio.net
> Cc: Eric Helm; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX - access-list for pptp
>
>
> To be exact, the fixup pptp is not to allow the pptp to come
> *to* the PIX, this is to allow the PPTP to go *through* the
> PIX - so it does not belong to this setup.
>
> What I believe should help is giving to the users
> downloadable/per-user ACLs from RADIUS, and the access-group
> on the "outside" interface (the one terminating the PPTP)
> having the "per-user-override" keyword.
>
> And pay attention to the "sysopt connection permit-pptp" - it
> configures all the PPTP-decapsulated traffic to get in
> without the check on the inbound interface ACL.
>
> ACL on the inside would not help since the connection is
> originated on the outside - so the return packets do not hit
> the ACL as they hit the already established connection.
>
> thanks,
> andrew
>
>
>
> On 9/19/06, Sam Cao <scao at verio.net> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Eric Helm [mailto:helmwork at ruraltel.net]
> > > Sent: Monday, September 18, 2006 11:05 AM
> > > To: scao at verio.net
> > > Cc: cisco-nsp at puck.nether.net
> > > Subject: Re: [c-nsp] PIX - access-list for pptp
> > >
> > >
> > > fixup protocol pptp 1723 is usually required.
> > >
> > This is to allow pptp come in, my problem is to control what remote
> > pptp user can or can't access to the hosts on inside interface,
> >
> > Sam,
> >
> > > /Eric
> > >
> > > Sam Cao wrote:
> > > >> I have configured PIX (ver 6.3) to terminate pptp connections,
> > > >> I'd like to manage what the pptp client can access to the
> > > >> internal network, but unsuccessful to implement.
> > > >>
> > > >> ip address inside 10.10.110.1 255.255.255.0
> > > >> !
> > > >> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254 !
> > > >> vpdn group 1 accept dialin pptp
> > > >> vpdn group 1 ppp authentication mschap
> > > >> vpdn group 1 ppp encryption mppe 128 required
> > > >> vpdn group 1 client configuration address local
> > > remote-addr-pool vpdn
> > > >> group 1 client configuration dns 10.10.110.3 vpdn
> group 1 client
> > > >> authentication aaa RADIUS vpdn group 1 pptp echo 60 !
> > > >>
> > > >> I want the pptp clients with ip 10.10.111.0/24 only be able to
> > > >> access some hosts on inside interface 10.10.110.0/24
> (i.e. only
> > > >> allow to access hosts 10.10.110.2 and 10.10.110.3 or
> > > >> 10.10.110.0/28).
> > > >>
> > > >> I tried access-list in on outside interface, it seems wouldn't
> > > >> filter as the packet was encapsulated, I tried
> access-list in on
> > > >> inside interface, it seems only stop traffic initiated from
> > > >> inside,
> > > >>
> > > >> Is there a way to do it?
> > > >>
> > > >> Sam,
> > > >>
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
More information about the cisco-nsp
mailing list