[VPN] VPN on Cisco PIX

Dana J. Dawson djdawso at qwest.com
Fri May 2 18:09:54 EDT 2003

I tested this in our lab and it does indeed behave as shannong describes below. 
  Thanks for the clarification!


shannong wrote:
> The [sysopt connection permit-pptp] affects what things the VPDN client
> can access after a successful session is established, which means
> everything.  With out that sysopt command, you would need to define what
> things an VPN client can access with ACLs as the usual rule of deny all
> would be in effect when accessing higher security interfaces.
> That sysopt command does not affect what addresses can connect to the
> Pix for PPTP sessions.  Also, ACLs applied to a Pix's interface do not
> affect traffic destined to the Pix itself, such as establishing a PPTP
> session. That's why you use the commands icmp, telnet, ssh, etc to
> affect who/what can talk to the Pix because normal ACLs on interfaces to
> don't stop/allow that traffic destined to the Pix.
> Filtering the source address of those terminating VPN tunnels seemed to
> be the question asked.  If that is the question, it cannot be done on
> the Pix itself.  An ACL would need to be created on a device in front of
> the Pix to limit who could connect to GRE/1723.
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
> Behalf Of Dana J. Dawson
> Sent: Wednesday, April 30, 2003 12:10 PM
> To: vpn at lists.shmoo.com
> Subject: Re: [VPN] VPN on Cisco PIX
> Actually, you can, but you have to remove the "sysopt connection
> permit-pptp" 
> command that is usually used.  In this case, you have to permit all the
> incoming 
> traffic to the PIX with an access-list (or conduit, I suppose),
> including the 
> PPTP traffic (GRE and TCP/1723).  Since you're using an access-list to
> allow 
> that traffic, you can also restrict the source, which is what you want.
> Dana


Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

More information about the VPN mailing list