Configuration
In this section, we will configure the PIX firewall to acquire PPTP connections.
Most of the PPTP agreement tasks on the PIX are performed application vpdn
commands. VPDN stands for Basic Private Dialup Networking and is acclimated on the
PIX as a accepted appellation for PPTP, L2TP, and PPPoE configurations. As with
IPsec, the aboriginal footfall is to admittance admission PPTP traffic.This is done application the
following command:
sysopt affiliation admittance pptp
This command around allows all cartage from accurate PPTP audience to
pass to its destination after added conduits or admission lists.Without this
command it is appropriate to actualize added entries in the admission lists on the outside
interface, because alike if dial-in audience admission centralized IP addresses, their
packets still admission on the alfresco interface.
The blow of agreement consists of the following:
1. Creating an abode basin for PPTP clients
2. Creating an AAA arrangement if alien AAA servers are used
3. Creating a dial-in accumulation (VPDN group) and ambience dial-in parameters
such as affidavit and encryption
4. Creating admission lists, which allows PPTP audience to admission centralized servers
(if you did not specify the sysopt affiliation admittance pptp command)
An IP abode basin is created application the afterward command:
ip bounded basin
This command creates a called basin (pool_name can be any alphanumeric
name) with the starting abode pool_start_address and the catastrophe address
pool_end_address. For example:
PIX1(config)# ip bounded basin mypool 10.1.1.1-10.1.1.10
This command allocates 10 IP addresses to the basin of accessible addresses.
The accompaniment of this basin can be displayed application the appearance ip bounded basin
command:
PIX1# appearance ip bounded basin mypool
Pool Begin End Free In use
mypool 10.0.1.1 10.0.0.10 10 0
www.syngress.com
376 Chapter 7 • Configuring Basic Private Networking
Available Addresses:
10.0.1.1
10.0.1.2
10.0.1.3
10.0.1.4
10.0.1.5
10.0.1.6
10.0.1.7
10.0.1.8
10.0.1.9
10.0.1.10
When all the IP addresses from the basin are allocated and a new allocation
attempt fails, the PIX creates a syslog bulletin of the type:
%PIX-3-213004: PPP basic interface cardinal applicant ip allocation failed.
Let’s acquire for a moment that we will not be application alien AAA servers.
(The case of alien affidavit is declared later.) We acquire to configure
a alternation of bounded usernames and passwords.This is done application the following
command:
vpdn username
For example:
PIX1(config)# vpdn username user1 countersign password1
PIX1(config)# vpdn username user2 countersign password2
These two commands actualize two users, user1 with countersign password1 and
user2 with countersign password2.The abutting footfall is to actualize a VPDN group.The
minimal agreement after any affidavit requires three commands:
vpdn accumulation
vpdn accumulation
_name>
vpdn accredit
The aboriginal command enables processing of PPTP cartage by the group.The
second specifies the IP abode basin to be acclimated for clients.The third command
applies VPDN settings to the interface (usually an alfresco interface). If local
authentication is used, the afterward commands are added:
www.syngress.com
Configuring Basic Private Networking • Chapter 7 377
vpdn accumulation
vpdn accumulation
The aboriginal command selects the affidavit approach (PAP, CHAP, or MSCHAP).
The PIX supports alone MS-CHAP adaptation 1, not 2. In all cases, the
same affidavit agreement should be configured on PIX and on the dial-in
client. If this command is not present in the PIX configuration, no authentication
is performed and any applicant is allowed.The additional band specifies that a local
database will be acclimated for authentication.When an alien AAA server is used,
this server is configured by accepted AAA means. For example:
PIX1(config)# aaa-server myserver (inside) host 192.168.2.99 key
mysecretkey
PIX1(config)# aaa-server myserver agreement radius
This server is again defined in a VPDN accumulation application the afterward command:
vpdn accumulation
In our case, this will be:
PIX1(config)# vpdn accumulation mygroup applicant affidavit aaa myserver
Encryption is defined by the afterward command:
vpdn accumulation
Here, 40, 128, or “auto” specifies the breadth of the encryption key. Again, it
must bout applicant settings.The auto keyword agency that the PIX will acquire both
40- and 128-bit keys.The appropriate keyword agency that if the applicant refuses to support
encryption with the key of defined length, the affiliation will be dropped.
NOTE
If the PIX requires a 128-bit encryption key but Windows 95/98 client
supports alone 40-bit encryption (older exported versions), the initial
connection appears to be accepted; Windows moves a affiliation icon
to the taskbar, but PPP advantage agreement is still in progress. The PIX
will debris the PPTP tunnel; a Windows applicant will not be disconnected
immediately but will be eventually timed out.
It is accessible to specify DNS and WINS server settings to be anesthetized on to the
client with the afterward commands:
www.syngress.com
378 Chapter 7 • Configuring Basic Private Networking
vpdn accumulation
server2>]
vpdn accumulation
server2>]
Let’s accede some examples of PPTP configuration.The afterward is a configuration
with bounded MS-CHAP affidavit and no encryption:
ip bounded basin mypool 192.168.3.1-192.168.3.10
vpdn username user1 countersign password1
vpdn username user2 countersign password2
vpdn accumulation 1 acquire dialin pptp
vpdn accumulation 1 ppp affidavit mschap
vpdn accumulation 1 applicant affidavit local
vpdn accumulation 1 applicant agreement abode bounded mypool
vpdn accredit outside
sysopt affiliation admittance pptp
If we charge added diminutive admission to centralized servers, we can alter the sysopt
command from the above-mentioned advertisement with an admission account on the alfresco interface.
For example, to acquiesce PPTP audience to admission alone Telnet account to the internal
host 192.168.2.33, which has an alfresco abode 12.23.34.99, the afterward configuration
can be used:
ip bounded basin mypool 192.168.3.1-192.168.3.10
vpdn username user1 countersign password1
vpdn username user2 countersign password2
vpdn accumulation 1 acquire dialin pptp
vpdn accumulation 1 ppp affidavit mschap
vpdn accumulation 1 applicant affidavit local
vpdn accumulation 1 applicant agreement abode bounded mypool
vpdn accredit outside
static (inside, outside) 12.23.34.99 192.168.2.33
access-list acl_out admittance tcp 192.168.3.0 255.255.255.240 host 12.23.34
.99 eq telnet
access-group acl_out in interface outside
Note that back the sysopt affiliation admittance pptp command is absent, decapsulated
PPTP cartage is accountable to all rules and admission lists activated to the inbound
traffic.
www.syngress.com
Configuring Basic Private Networking • Chapter 7 379
Here is a added circuitous archetype in which audience accredit with MSCHAP
version 1 via an alien RADIUS server, 128-bit encryption is required,
and audience acquire DNS and WINS settings from the PIX:
ip bounded basin mypool 192.168.3.1-192.168.3.10
aaa-server myserver (inside) host 192.168.2.99 key mysecretkey
aaa-server myserver agreement radius
vpdn accumulation 1 acquire dialin pptp
vpdn accumulation 1 ppp affidavit mschap
vpdn accumulation 1 applicant affidavit aaa myserver
vpdn accumulation 1 ppp encryption mppe auto required
vpdn accumulation 1 applicant agreement abode bounded mypool
vpdn accumulation 1 applicant agreement dns 192.168.2.33
vpdn accumulation 1 applicant agreement wins 192.168.2.34
vpdn accredit outside
sysopt affiliation admittance pptp
The cachet of PPTP tunnels can be displayed application several commands:
PIX1# appearance vpdn tunnel
% No alive L2TP tunnels
% No alive PPTP tunnels
If any tunnels were active, statistics on their cardinal and cartage would have
been displayed:
PIX1# appearance vpdn adit pptp packet
PPTP Adit Advice (Total tunnels=1 sessions=1)
LocID Pkts-In Pkts-Out Bytes-In Bytes-Out
1 1234 23 200323 553
The above-mentioned command shows alone the cartage statistics for alive PPTP data
tunnels. Another command is acclimated to adviser PPTP tunnels themselves:
PIX1# appearance vpdn adit pptp summary
PPTP Adit Advice (Total tunnels=1 sessions=1)
LocID RemID Accompaniment Remote Abode Port Sessions
1 1 estabd 172.16.38.194 1723 1
The afterward commands affectation carriage band statistics and affair information,
respectively:
show vpdn adit pptp transport
show vpdn pptp session