Pix 506E - PPTP VPN access

Discussion in 'Cisco' started by Mikem, Nov 22, 2004.

  1. Mikem

    Mikem Guest

    I have a Cisco PIX 506E and have an outside vendor that wants to VPN
    into our network to a specific host. I have setup a pptp vpn
    configuration that works, but I now want to restrict who can establish
    a vpn connection to the pix. The configuration I have today is:

    access-list vpn permit ip 172.16.0.0 255.255.0.0 192.168.2.0
    255.255.255.0
    nat (inside) 0 access-list vpn
    sysopt connection permit-pptp
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username ***** password *****
    vpdn enable outside

    This works, but anyone can start a tunnel to my pix. How do I
    restrict who can establish a vpn to this device? Is it through normal
    acls or object-groups? If so, how do I associate them to the vpdn
    group?

    Thanks in advance for any help!
     
    Mikem, Nov 22, 2004
    #1

    1. Advertisements

  2. Mikem

    Walter Roberson Guest

    :I have a Cisco PIX 506E and have an outside vendor that wants to VPN
    :into our network to a specific host.

    :vpdn group 1 accept dialin pptp

    :vpdn username ***** password *****

    :This works, but anyone can start a tunnel to my pix. How do I
    :restrict who can establish a vpn to this device? Is it through normal
    :acls or object-groups?

    You can't do it through ACLs, as ACLs only apply to traffic that
    passes -through- the PIX, and never to traffic that goes *to* the PIX
    itself such as the authentication sequence.


    What I would suggest is to have your vendor stop using PPTP and
    start using IPSec (which, if I recall correctly, is available natively
    in XP; if not, get them using the Cisco VPN client.) If the vendor
    is using IPSec then you'd be configuring 'vpngroup' instead of
    'vpdn', and then you could take advantage of this note in the
    vpngroup documentation:

    Note: Both the vpngroup password command and the isakmp key address
    command let you specify a pre-shared key to be used for IKE
    authentication. We recommend that you use the vpngroup password
    command only if you plan to configure more than one VPN user group.
    The vpngroup password command gives the PIX Firewall added
    flexibility to configure different VPN user groups.

    The importance of this note is that it says you can substitute
    an isakmp key statement for a vpngroup password statement -- and
    isakmp key statements include an IP address and netmask that determines
    which remote system is allowed to use that particular key. You can
    thuswise lock down the potential connection to a particular address.
     
    Walter Roberson, Nov 22, 2004
    #2

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. PIX 506e (6.3 (1)) PPTP VPN with all Invalid IP's

  2. PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible?

  3. mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501

  4. Pix 506e, PPTP problem

  5. PIX 506E PPTP VPN

  6. Pix 506e as PPTP server

  7. PIX 506E - PPTP remote site VPN?

  8. PIX 506e Access VPN and Lan2Lan VPN

Loading...