Configuring Point-to-Point Tunneling Protocol-Configuration


Configuration

In this section, we will configure the PIX firewall to acquire PPTP connections.

Most of the PPTP agreement tasks on the PIX are performed application vpdn

commands. VPDN stands for Basic Private Dialup Networking and is acclimated on the

PIX as a accepted appellation for PPTP, L2TP, and PPPoE configurations. As with

IPsec, the aboriginal footfall is to admittance admission PPTP traffic.This is done application the

following command:

sysopt affiliation admittance pptp

This command around allows all cartage from accurate PPTP audience to

pass to its destination after added conduits or admission lists.Without this

command it is appropriate to actualize added entries in the admission lists on the outside

interface, because alike if dial-in audience admission centralized IP addresses, their

packets still admission on the alfresco interface.

The blow of agreement consists of the following:

1. Creating an abode basin for PPTP clients

2. Creating an AAA arrangement if alien AAA servers are used

3. Creating a dial-in accumulation (VPDN group) and ambience dial-in parameters

such as affidavit and encryption

4. Creating admission lists, which allows PPTP audience to admission centralized servers

(if you did not specify the sysopt affiliation admittance pptp command)

An IP abode basin is created application the afterward command:

ip bounded basin [-]

This command creates a called basin (pool_name can be any alphanumeric

name) with the starting abode pool_start_address and the catastrophe address

pool_end_address. For example:

PIX1(config)# ip bounded basin mypool 10.1.1.1-10.1.1.10

This command allocates 10 IP addresses to the basin of accessible addresses.

The accompaniment of this basin can be displayed application the appearance ip bounded basin

command:

PIX1# appearance ip bounded basin mypool

Pool Begin End Free In use

mypool 10.0.1.1 10.0.0.10 10 0

www.syngress.com

376 Chapter 7 • Configuring Basic Private Networking

Available Addresses:

10.0.1.1

10.0.1.2

10.0.1.3

10.0.1.4

10.0.1.5

10.0.1.6

10.0.1.7

10.0.1.8

10.0.1.9

10.0.1.10

When all the IP addresses from the basin are allocated and a new allocation

attempt fails, the PIX creates a syslog bulletin of the type:

%PIX-3-213004: PPP basic interface cardinal applicant ip allocation failed.

Let’s acquire for a moment that we will not be application alien AAA servers.

(The case of alien affidavit is declared later.) We acquire to configure

a alternation of bounded usernames and passwords.This is done application the following

command:

vpdn username countersign

For example:

PIX1(config)# vpdn username user1 countersign password1

PIX1(config)# vpdn username user2 countersign password2

These two commands actualize two users, user1 with countersign password1 and

user2 with countersign password2.The abutting footfall is to actualize a VPDN group.The

minimal agreement after any affidavit requires three commands:

vpdn accumulation acquire dialin pptp

vpdn accumulation applicant agreement abode bounded

_name>

vpdn accredit

The aboriginal command enables processing of PPTP cartage by the group.The

second specifies the IP abode basin to be acclimated for clients.The third command

applies VPDN settings to the interface (usually an alfresco interface). If local

authentication is used, the afterward commands are added:

www.syngress.com

Configuring Basic Private Networking • Chapter 7 377

vpdn accumulation ppp affidavit {pap | chap| mschap}

vpdn accumulation applicant affidavit local

The aboriginal command selects the affidavit approach (PAP, CHAP, or MSCHAP).

The PIX supports alone MS-CHAP adaptation 1, not 2. In all cases, the

same affidavit agreement should be configured on PIX and on the dial-in

client. If this command is not present in the PIX configuration, no authentication

is performed and any applicant is allowed.The additional band specifies that a local

database will be acclimated for authentication.When an alien AAA server is used,

this server is configured by accepted AAA means. For example:

PIX1(config)# aaa-server myserver (inside) host 192.168.2.99 key

mysecretkey

PIX1(config)# aaa-server myserver agreement radius

This server is again defined in a VPDN accumulation application the afterward command:

vpdn accumulation applicant affidavit aaa

In our case, this will be:

PIX1(config)# vpdn accumulation mygroup applicant affidavit aaa myserver

Encryption is defined by the afterward command:

vpdn accumulation encryption mppe 40 | 128 | auto [ appropriate ]

Here, 40, 128, or “auto” specifies the breadth of the encryption key. Again, it

must bout applicant settings.The auto keyword agency that the PIX will acquire both

40- and 128-bit keys.The appropriate keyword agency that if the applicant refuses to support

encryption with the key of defined length, the affiliation will be dropped.

NOTE

If the PIX requires a 128-bit encryption key but Windows 95/98 client

supports alone 40-bit encryption (older exported versions), the initial

connection appears to be accepted; Windows moves a affiliation icon

to the taskbar, but PPP advantage agreement is still in progress. The PIX

will debris the PPTP tunnel; a Windows applicant will not be disconnected

immediately but will be eventually timed out.

It is accessible to specify DNS and WINS server settings to be anesthetized on to the

client with the afterward commands:

www.syngress.com

378 Chapter 7 • Configuring Basic Private Networking

vpdn accumulation applicant agreement dns [

server2>]

vpdn accumulation applicant agreement wins [

server2>]

Let’s accede some examples of PPTP configuration.The afterward is a configuration

with bounded MS-CHAP affidavit and no encryption:

ip bounded basin mypool 192.168.3.1-192.168.3.10

vpdn username user1 countersign password1

vpdn username user2 countersign password2

vpdn accumulation 1 acquire dialin pptp

vpdn accumulation 1 ppp affidavit mschap

vpdn accumulation 1 applicant affidavit local

vpdn accumulation 1 applicant agreement abode bounded mypool

vpdn accredit outside

sysopt affiliation admittance pptp

If we charge added diminutive admission to centralized servers, we can alter the sysopt

command from the above-mentioned advertisement with an admission account on the alfresco interface.

For example, to acquiesce PPTP audience to admission alone Telnet account to the internal

host 192.168.2.33, which has an alfresco abode 12.23.34.99, the afterward configuration

can be used:

ip bounded basin mypool 192.168.3.1-192.168.3.10

vpdn username user1 countersign password1

vpdn username user2 countersign password2

vpdn accumulation 1 acquire dialin pptp

vpdn accumulation 1 ppp affidavit mschap

vpdn accumulation 1 applicant affidavit local

vpdn accumulation 1 applicant agreement abode bounded mypool

vpdn accredit outside

static (inside, outside) 12.23.34.99 192.168.2.33

access-list acl_out admittance tcp 192.168.3.0 255.255.255.240 host 12.23.34

.99 eq telnet

access-group acl_out in interface outside

Note that back the sysopt affiliation admittance pptp command is absent, decapsulated

PPTP cartage is accountable to all rules and admission lists activated to the inbound

traffic.

www.syngress.com

Configuring Basic Private Networking • Chapter 7 379

Here is a added circuitous archetype in which audience accredit with MSCHAP

version 1 via an alien RADIUS server, 128-bit encryption is required,

and audience acquire DNS and WINS settings from the PIX:

ip bounded basin mypool 192.168.3.1-192.168.3.10

aaa-server myserver (inside) host 192.168.2.99 key mysecretkey

aaa-server myserver agreement radius

vpdn accumulation 1 acquire dialin pptp

vpdn accumulation 1 ppp affidavit mschap

vpdn accumulation 1 applicant affidavit aaa myserver

vpdn accumulation 1 ppp encryption mppe auto required

vpdn accumulation 1 applicant agreement abode bounded mypool

vpdn accumulation 1 applicant agreement dns 192.168.2.33

vpdn accumulation 1 applicant agreement wins 192.168.2.34

vpdn accredit outside

sysopt affiliation admittance pptp

The cachet of PPTP tunnels can be displayed application several commands:

PIX1# appearance vpdn tunnel

% No alive L2TP tunnels

% No alive PPTP tunnels

If any tunnels were active, statistics on their cardinal and cartage would have

been displayed:

PIX1# appearance vpdn adit pptp packet

PPTP Adit Advice (Total tunnels=1 sessions=1)

LocID Pkts-In Pkts-Out Bytes-In Bytes-Out

1 1234 23 200323 553

The above-mentioned command shows alone the cartage statistics for alive PPTP data

tunnels. Another command is acclimated to adviser PPTP tunnels themselves:

PIX1# appearance vpdn adit pptp summary

PPTP Adit Advice (Total tunnels=1 sessions=1)

LocID RemID Accompaniment Remote Abode Port Sessions

1 1 estabd 172.16.38.194 1723 1

The afterward commands affectation carriage band statistics and affair information,

respectively:

show vpdn adit pptp transport

show vpdn pptp session