[VPN] VPN on Cisco PIX

shannong shannong at texas.net
Wed Apr 30 21:23:10 EDT 2003 

The [sysopt connection permit-pptp] affects what things the VPDN client
can access after a successful session is established, which means
everything.  With out that sysopt command, you would need to define what
things an VPN client can access with ACLs as the usual rule of deny all
would be in effect when accessing higher security interfaces.

That sysopt command does not affect what addresses can connect to the
Pix for PPTP sessions.  Also, ACLs applied to a Pix's interface do not
affect traffic destined to the Pix itself, such as establishing a PPTP
session. That's why you use the commands icmp, telnet, ssh, etc to
affect who/what can talk to the Pix because normal ACLs on interfaces to
don't stop/allow that traffic destined to the Pix.

Filtering the source address of those terminating VPN tunnels seemed to
be the question asked.  If that is the question, it cannot be done on
the Pix itself.  An ACL would need to be created on a device in front of
the Pix to limit who could connect to GRE/1723.


-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of Dana J. Dawson
Sent: Wednesday, April 30, 2003 12:10 PM
To: vpn at lists.shmoo.com
Subject: Re: [VPN] VPN on Cisco PIX

Actually, you can, but you have to remove the "sysopt connection
permit-pptp" 
command that is usually used.  In this case, you have to permit all the
incoming 
traffic to the PIX with an access-list (or conduit, I suppose),
including the 
PPTP traffic (GRE and TCP/1723).  Since you're using an access-list to
allow 
that traffic, you can also restrict the source, which is what you want.

HTH

Dana

-- 

Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

shannong wrote:
> No.  VPDN cannot be restricted by IP on the Pix.  Instead, you'll need
> to use an ACL on the router in front.  You can do real VPNs using
IPSec
> and specify the IPs that can have access by defining their pre-shared
> keys for IKE.  All others will fail.
> 
> -Shannon
> 
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
> Behalf Of silvia ghezzi
> Sent: Tuesday, April 29, 2003 2:27 AM
> To: vpn at lists.shmoo.com
> Subject: [VPN] VPN on Cisco PIX
> 
> Hello,
> 
> I have enabled a PPTP VPN to my CISCO PIX, but I
> cannot find the way to filer the public source IP
> address to establish VPN with PIX, so at the moment
> everybody can create a VPN with us and we don't want
> this.
> 
> Is there a way to prevent this?
> 
> Many thanks
> Regards
> 
> Silvia

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list