Pix 506E - PPTP VPN access

Discussion in 'Cisco' started by Mikem, Nov 22, 2004.

  1. Mikem

    Mikem Guest

    I have a Cisco PIX 506E and have an outside vendor that wants to VPN
    into our network to a specific host. I have setup a pptp vpn
    configuration that works, but I now want to restrict who can establish
    a vpn connection to the pix. The configuration I have today is:

    access-list vpn permit ip 172.16.0.0 255.255.0.0 192.168.2.0
    255.255.255.0
    nat (inside) 0 access-list vpn
    sysopt connection permit-pptp
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username ***** password *****
    vpdn enable outside

    This works, but anyone can start a tunnel to my pix. How do I
    restrict who can establish a vpn to this device? Is it through normal
    acls or object-groups? If so, how do I associate them to the vpdn
    group?

    Thanks in advance for any help!
     
    Mikem, Nov 22, 2004
    #1
    1. Advertising

  2. In article <>,
    Mikem <> wrote:
    :I have a Cisco PIX 506E and have an outside vendor that wants to VPN
    :into our network to a specific host.

    :vpdn group 1 accept dialin pptp

    :vpdn username ***** password *****

    :This works, but anyone can start a tunnel to my pix. How do I
    :restrict who can establish a vpn to this device? Is it through normal
    :acls or object-groups?

    You can't do it through ACLs, as ACLs only apply to traffic that
    passes -through- the PIX, and never to traffic that goes *to* the PIX
    itself such as the authentication sequence.


    What I would suggest is to have your vendor stop using PPTP and
    start using IPSec (which, if I recall correctly, is available natively
    in XP; if not, get them using the Cisco VPN client.) If the vendor
    is using IPSec then you'd be configuring 'vpngroup' instead of
    'vpdn', and then you could take advantage of this note in the
    vpngroup documentation:

    Note: Both the vpngroup password command and the isakmp key address
    command let you specify a pre-shared key to be used for IKE
    authentication. We recommend that you use the vpngroup password
    command only if you plan to configure more than one VPN user group.
    The vpngroup password command gives the PIX Firewall added
    flexibility to configure different VPN user groups.

    The importance of this note is that it says you can substitute
    an isakmp key statement for a vpngroup password statement -- and
    isakmp key statements include an IP address and netmask that determines
    which remote system is allowed to use that particular key. You can
    thuswise lock down the potential connection to a particular address.
    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
     
    Walter Roberson, Nov 22, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chironex
    Replies:
    3
    Views:
    717
    Walter Roberson
    Oct 30, 2003
  2. Alex
    Replies:
    3
    Views:
    880
    Guest
    May 12, 2004
  3. NETADMIN

    PIX 506E PPTP VPN

    NETADMIN, Feb 17, 2006, in forum: Cisco
    Replies:
    7
    Views:
    1,897
  4. =?ISO-8859-15?Q?Thomas_Wei=DF?=

    PIX 506E - PPTP remote site VPN?

    =?ISO-8859-15?Q?Thomas_Wei=DF?=, May 30, 2006, in forum: Cisco
    Replies:
    0
    Views:
    701
    =?ISO-8859-15?Q?Thomas_Wei=DF?=
    May 30, 2006
  5. Laurent
    Replies:
    2
    Views:
    597
    Laurent
    Mar 1, 2008
Loading...

Share This Page