Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: [VPN] VPN on Cisco PIX
.

  • To: <[EMAIL PROTECTED]>
  • Subject: RE: [VPN] VPN on Cisco PIX
  • From: "shannong" <[EMAIL PROTECTED]>
  • Date: Wed, 30 Apr 2003 20:23:10 -0500
  • In-reply-to: <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
The [sysopt connection permit-pptp] affects what things the VPDN client
can access after a successful session is established, which means
everything.  With out that sysopt command, you would need to define what
things an VPN client can access with ACLs as the usual rule of deny all
would be in effect when accessing higher security interfaces.

That sysopt command does not affect what addresses can connect to the
Pix for PPTP sessions.  Also, ACLs applied to a Pix's interface do not
affect traffic destined to the Pix itself, such as establishing a PPTP
session. That's why you use the commands icmp, telnet, ssh, etc to
affect who/what can talk to the Pix because normal ACLs on interfaces to
don't stop/allow that traffic destined to the Pix.

Filtering the source address of those terminating VPN tunnels seemed to
be the question asked.  If that is the question, it cannot be done on
the Pix itself.  An ACL would need to be created on a device in front of
the Pix to limit who could connect to GRE/1723.


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dana J. Dawson
Sent: Wednesday, April 30, 2003 12:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [VPN] VPN on Cisco PIX

Actually, you can, but you have to remove the "sysopt connection
permit-pptp" 
command that is usually used.  In this case, you have to permit all the
incoming 
traffic to the PIX with an access-list (or conduit, I suppose),
including the 
PPTP traffic (GRE and TCP/1723).  Since you're using an access-list to
allow 
that traffic, you can also restrict the source, which is what you want.

HTH

Dana

-- 

Dana J. Dawson                     [EMAIL PROTECTED]
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

shannong wrote:
> No.  VPDN cannot be restricted by IP on the Pix.  Instead, you'll need
> to use an ACL on the router in front.  You can do real VPNs using
IPSec
> and specify the IPs that can have access by defining their pre-shared
> keys for IKE.  All others will fail.
> 
> -Shannon
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of silvia ghezzi
> Sent: Tuesday, April 29, 2003 2:27 AM
> To: [EMAIL PROTECTED]
> Subject: [VPN] VPN on Cisco PIX
> 
> Hello,
> 
> I have enabled a PPTP VPN to my CISCO PIX, but I
> cannot find the way to filer the public source IP
> address to establish VPN with PIX, so at the moment
> everybody can create a VPN with us and we don't want
> this.
> 
> Is there a way to prevent this?
> 
> Many thanks
> Regards
> 
> Silvia

_______________________________________________
VPN mailing list
[EMAIL PROTECTED]
http://lists.shmoo.com/mailman/listinfo/vpn



_______________________________________________
VPN mailing list
[EMAIL PROTECTED]
http://lists.shmoo.com/mailman/listinfo/vpn
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.