Remote access enables clients to access internal networks via VPN connections to the PIX firewall. You can use the Cisco VPN client software or even use Microsoft's VPN PPTP client to connect the PIX firewall. When clients connect to the firewall, they must authenticate, and this can be done either locally or via a AAA server. After a client is authenticated, the firewall hands out an IP address, similar to a DHCP server issuing an IP address to the client. This address range is assigned using the ip local pool command. Additionally, the PPTP VPN tunnel parameters are set up using the vpdn command. This section briefly covers how to allow PPTP clients VPN access into the PIX firewall. Figure 12.12 displays a PPTP VPN client example. Figure 12.12. PPTP client example.
The following is a simple list of tasks you must perform:
The commands in Listing 12.7 enable users to access the PIX firewall. Listing 12.7 Remote Access Using PPTPpixfirewall(config)# sysopt connection permit-pptp pixfirewall(config)# ip local pool pptp-pool 192.168.8.30-192.168.8.40 pixfirewall(config)# vpdn group 1 accept dialin pptp pixfirewall(config)# vpdn group 1 ppp authentication mschap pixfirewall(config)# vpdn group 1 ppp encryption mppe 40 pixfirewall(config)# vpdn group 1 client configuration address local pptp-pool pixfirewall(config)# vpdn group 1 client configuration dns 194.72.6.57 pixfirewall(config)# vpdn group 1 pptp echo 60 pixfirewall(config)# vpdn group 1 client authentication local pixfirewall(config)# vpdn enable outside pixfirewall(config)# vpdn username dnewman password 1234 The sysopt connection permit-pptp CommandOne method of allowing PPTP traffic into the PIX firewall is to use a command similar to the one you used for IPSec. The sysopt connection permit-pptp allows PPTP traffic to bypass conduits and ACLs, thus allowing VPN connections into the PIX firewall. The ip local pool CommandThe ip local pool command enables you to create a pool of local addresses that are dynamically assigned to remote VPN clients. The following example creates a pool named pptp-pool that will allocate addresses from 192.168.8.30 to 192.168.8.40 for remote VPN clients: pixfirewall(config)# ip local pool pptp-pool 192.168.8.30-192.168.8.40
The vpdn group CommandThe vpdn group command is used to configure and enable L2TP and PPTP remote access VPNs. Table 12.11 describes several options of the vpdn group command for a PPTP connection. Listing 12.8 displays the vpdn group commands needed to set and configure a PIX firewall for PPTP remote access. Listing 12.8 vpdn group Commands Needed for PPTP Remote Accesspixfirewall(config)# vpdn group 1 accept dialin pptp pixfirewall(config)# vpdn group 1 ppp authentication mschap pixfirewall(config)# vpdn group 1 ppp encryption mppe 40 pixfirewall(config)# vpdn group 1 client configuration address local pptp-pool pixfirewall(config)# vpdn group 1 client configuration dns 194.72.6.57 pixfirewall(config)# vpdn group 1 pptp echo 60 pixfirewall(config)# vpdn group 1 client authentication local pixfirewall(config)# vpdn enable outside Table 12.11a. vpdn group Options
The vpdn username password CommandThe vpdn username password command enables you to create a local list of usernames and passwords for VPDN clients. The command shown here creates a user who can log in using a VPDN group: pixfirewall(config)# vpdn username dnewman password 1234 |