[c-nsp] PIX - access-list for pptp

Andrew Yourtchenko ayourtch at gmail.com
Tue Sep 19 18:33:14 EDT 2006


Sam,

take a look at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml

it has the example of how the per-user ACL (that is configured on the
box itself)
could be used.

AFAIK, you would not be able to use the downloadable access-lists with
IAS - only with ACS.

thanks,
andrew

On 9/20/06, Sam Cao <scao at verio.net> wrote:
> Thanks Andrew,
>
> The filter on outside interface worked after I removed "sysopt connection
> permit-pptp",
>
> I do like to play with downloadable ACL, I use Microsoft IAS as RADIUS
> server, any configuration example will be appreciated,
>
> Sam,
>
> > -----Original Message-----
> > From: Andrew Yourtchenko [mailto:ayourtch at gmail.com]
> > Sent: Tuesday, September 19, 2006 6:03 AM
> > To: scao at verio.net
> > Cc: Eric Helm; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] PIX - access-list for pptp
> >
> >
> > To be exact, the fixup pptp is not to allow the pptp to come
> > *to* the PIX, this is to allow the PPTP to go *through* the
> > PIX - so it does not belong to this setup.
> >
> > What I believe should help is giving to the users
> > downloadable/per-user  ACLs from RADIUS, and the access-group
> > on the "outside" interface (the one terminating the PPTP)
> > having the "per-user-override" keyword.
> >
> > And pay attention to the "sysopt connection permit-pptp" - it
> > configures all the PPTP-decapsulated traffic to get in
> > without the check on the inbound interface ACL.
> >
> > ACL on the inside would not help since the connection is
> > originated on the outside - so the return packets do not hit
> > the ACL as they hit the already established connection.
> >
> > thanks,
> > andrew
> >
> >
> >
> > On 9/19/06, Sam Cao <scao at verio.net> wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Eric Helm [mailto:helmwork at ruraltel.net]
> > > > Sent: Monday, September 18, 2006 11:05 AM
> > > > To: scao at verio.net
> > > > Cc: cisco-nsp at puck.nether.net
> > > > Subject: Re: [c-nsp] PIX - access-list for pptp
> > > >
> > > >
> > > > fixup protocol pptp 1723 is usually required.
> > > >
> > > This is to allow pptp come in, my problem is to control what remote
> > > pptp user can or can't access to the hosts on inside interface,
> > >
> > > Sam,
> > >
> > > > /Eric
> > > >
> > > > Sam Cao wrote:
> > > > >> I have configured PIX (ver 6.3) to terminate pptp connections,
> > > > >> I'd like to manage what the pptp client can access to the
> > > > >> internal network, but unsuccessful to implement.
> > > > >>
> > > > >> ip address inside 10.10.110.1 255.255.255.0
> > > > >> !
> > > > >> ip local pool remote-addr-pool 10.10.111.1-10.10.111.254 !
> > > > >> vpdn group 1 accept dialin pptp
> > > > >> vpdn group 1 ppp authentication mschap
> > > > >> vpdn group 1 ppp encryption mppe 128 required
> > > > >> vpdn group 1 client configuration address local
> > > > remote-addr-pool vpdn
> > > > >> group 1 client configuration dns 10.10.110.3 vpdn
> > group 1 client
> > > > >> authentication aaa RADIUS vpdn group 1 pptp echo 60 !
> > > > >>
> > > > >> I want the pptp clients with ip 10.10.111.0/24 only be able to
> > > > >> access some hosts on inside interface 10.10.110.0/24
> > (i.e. only
> > > > >> allow to access hosts 10.10.110.2 and 10.10.110.3 or
> > > > >> 10.10.110.0/28).
> > > > >>
> > > > >> I tried access-list in on outside interface, it seems wouldn't
> > > > >> filter as the packet was encapsulated, I tried
> > access-list in on
> > > > >> inside interface, it seems only stop traffic initiated from
> > > > >> inside,
> > > > >>
> > > > >> Is there a way to do it?
> > > > >>
> > > > >> Sam,
> > > > >>
> > > > >
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > > >
> > > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>


More information about the cisco-nsp mailing list