[VPN] VPN on Cisco PIX
Dana J. Dawson
djdawso at qwest.com
Fri May 2 18:09:54 EDT 2003
I tested this in our lab and it does indeed behave as shannong describes below.
Thanks for the clarification!
> The [sysopt connection permit-pptp] affects what things the VPDN client
> can access after a successful session is established, which means
> everything. With out that sysopt command, you would need to define what
> things an VPN client can access with ACLs as the usual rule of deny all
> would be in effect when accessing higher security interfaces.
> That sysopt command does not affect what addresses can connect to the
> Pix for PPTP sessions. Also, ACLs applied to a Pix's interface do not
> affect traffic destined to the Pix itself, such as establishing a PPTP
> session. That's why you use the commands icmp, telnet, ssh, etc to
> affect who/what can talk to the Pix because normal ACLs on interfaces to
> don't stop/allow that traffic destined to the Pix.
> Filtering the source address of those terminating VPN tunnels seemed to
> be the question asked. If that is the question, it cannot be done on
> the Pix itself. An ACL would need to be created on a device in front of
> the Pix to limit who could connect to GRE/1723.
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
> Behalf Of Dana J. Dawson
> Sent: Wednesday, April 30, 2003 12:10 PM
> To: vpn at lists.shmoo.com
> Subject: Re: [VPN] VPN on Cisco PIX
> Actually, you can, but you have to remove the "sysopt connection
> command that is usually used. In this case, you have to permit all the
> traffic to the PIX with an access-list (or conduit, I suppose),
> including the
> PPTP traffic (GRE and TCP/1723). Since you're using an access-list to
> that traffic, you can also restrict the source, which is what you want.
Dana J. Dawson djdawso at qwest.com
Senior Staff Engineer CCIE #1937
Qwest Communications (612) 664-3364
600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX)
Minneapolis MN 55413-2620
"Hard is where the money is."
More information about the VPN