Configuring Remote Access Client VPNs


Remote access enables clients to access internal networks via VPN connections to the PIX firewall. You can use the Cisco VPN client software or even use Microsoft's VPN PPTP client to connect the PIX firewall.

When clients connect to the firewall, they must authenticate, and this can be done either locally or via a AAA server. After a client is authenticated, the firewall hands out an IP address, similar to a DHCP server issuing an IP address to the client. This address range is assigned using the ip local pool command. Additionally, the PPTP VPN tunnel parameters are set up using the vpdn command. This section briefly covers how to allow PPTP clients VPN access into the PIX firewall. Figure 12.12 displays a PPTP VPN client example.

Figure 12.12. PPTP client example.

graphics/12fig12.gif

The following is a simple list of tasks you must perform:

  • Allow PPTP traffic to enter the PIX.

  • Create an IP address pool.

  • Configure the VPDN group .

  • Configure the usernames and passwords.

The commands in Listing 12.7 enable users to access the PIX firewall.

Listing 12.7 Remote Access Using PPTP
 pixfirewall(config)# sysopt connection permit-pptp pixfirewall(config)# ip local pool pptp-pool 192.168.8.30-192.168.8.40 pixfirewall(config)# vpdn group 1 accept dialin pptp pixfirewall(config)# vpdn group 1 ppp authentication mschap pixfirewall(config)# vpdn group 1 ppp encryption mppe 40 pixfirewall(config)# vpdn group 1 client configuration                address local pptp-pool pixfirewall(config)# vpdn group 1 client configuration dns 194.72.6.57 pixfirewall(config)# vpdn group 1 pptp echo 60 pixfirewall(config)# vpdn group 1 client authentication local pixfirewall(config)# vpdn enable outside pixfirewall(config)# vpdn username dnewman password 1234 

The sysopt connection permit-pptp Command

One method of allowing PPTP traffic into the PIX firewall is to use a command similar to the one you used for IPSec. The sysopt connection permit-pptp allows PPTP traffic to bypass conduits and ACLs, thus allowing VPN connections into the PIX firewall.

The ip local pool Command

The ip local pool command enables you to create a pool of local addresses that are dynamically assigned to remote VPN clients. The following example creates a pool named pptp-pool that will allocate addresses from 192.168.8.30 to 192.168.8.40 for remote VPN clients:

 pixfirewall(config)# ip local pool pptp-pool 192.168.8.30-192.168.8.40 
graphics/alert_icon.gif

The ip local pool command is used for remote access VPN clients.


The vpdn group Command

The vpdn group command is used to configure and enable L2TP and PPTP remote access VPNs. Table 12.11 describes several options of the vpdn group command for a PPTP connection. Listing 12.8 displays the vpdn group commands needed to set and configure a PIX firewall for PPTP remote access.

Listing 12.8 vpdn group Commands Needed for PPTP Remote Access
 pixfirewall(config)# vpdn group 1 accept dialin pptp pixfirewall(config)# vpdn group 1 ppp authentication mschap pixfirewall(config)# vpdn group 1 ppp encryption mppe 40 pixfirewall(config)# vpdn group 1 client configuration                address local pptp-pool pixfirewall(config)# vpdn group 1 client configuration dns 194.72.6.57 pixfirewall(config)# vpdn group 1 pptp echo 60 pixfirewall(config)# vpdn group 1 client authentication local pixfirewall(config)# vpdn enable outside 
Table 12.11a. vpdn group Options

Command

Description

accept dialin

This defines either L2TP or PPTP as a VPN protocol.

ppp authentication

This specifies the Point-to-Point authentications. The PIX supports PAP, CHAP, and MSCHAP.

ppp encryption

This defines the allowable Microsoft Point-to-Point Encryption. The two types are 40 bit and 128 bit.

client configuration address local

Specifies the local IP address pool for the VPDN group to use for remote clients.

client configuration dns

This specifies the DNS server IP address to hand out to VPN clients.

pptp echo

This specifies the keep-alive timeout value used to keep the VPN tunnel alive .

client authentication local

This specifies where the PIX firewall authentication will occur. AAA services and local databases can be used.

enable outside

This enables PPTP on a single interface.

The vpdn username password Command

The vpdn username password command enables you to create a local list of usernames and passwords for VPDN clients. The command shown here creates a user who can log in using a VPDN group:

 pixfirewall(config)# vpdn username dnewman password 1234 


CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net