[cisco-ttl] Pix ve PPTP

From: Oguzhan Kayhan (oguzhan.kayhan_at_barmek.az)
Date: Mon Mar 07 2005 - 08:00:44 EET

Selam.

Pix 6.3(4) uzerinden clienatlarin pptp ile baglanmasi asamasini niyahet
gerceklestirdim.

Ic networke de ulasmakta sorunum yok.

Ancak vpn ile baglanan clientlar ile sadece iceriden outbound ile disari
cikma yetkisi verdigim bilg.lara ulasabiliyorum.

TUm networke ulasabilmek icin ne yapmaliyim?

Ayrica meark ettigim bir diger olay da, outside tan gelen bu pptp
clientlarin hem local baglantisinin hem de internet baglantisinin
olabilmesi.

Pix ustunden nasil bunlara internete cikma yetkisi verebilirim?

 

Configi asagida gonderiyorum.

 

Bir de PPTP icin 7200 veya 5300 serisi routerlari da kullanabilirmiyim?

 

Tesekkurler.

 

 

 

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

...........

fixup protocol dns maximum-length 512

fixup protocol ftp 21

no fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

......................

access-list unsecure permit icmp any any

access-list unsecure permit gre any any

.......................

access-list unsecure permit ip 10.100.100.0 255.255.255.0 192.168.0.0
255.255.0.0

access-list unsecure permit ip 192.168.0.0 255.255.0.0 10.100.100.0
255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.0.0 10.100.100.0
255.255.255.0

pager lines 24

logging on

logging trap debugging

logging facility 9

logging host inside Ras_Internal

no logging message 111005

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.xxx.xxx.xxx

ip address inside 192.168.10.1 255.255.255.0

ip address DMZ 10.10.10.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name ids attack action alarm drop reset

ip audit info action alarm

ip audit attack action alarm drop

ip local pool pptp-pool 10.100.100.1-10.100.100.250

pdm history enable

arp timeout 14400

global (outside) 1 PAT2

global (DMZ) 1 10.10.10.200

nat (inside) 0 access-list 101

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

nat (DMZ) 2 10.10.10.2 255.255.255.255 0 0

access-group unsecure in interface outside

access-group DMZ in interface DMZ

outbound 1 deny 0.0.0.0 0.0.0.0 0 ip

..................

outbound 1 permit 10.100.100.0 255.255.255.0 0 ip

apply (inside) 1 outgoing_src

route outside 0.0.0.0 0.0.0.0 80.69.50.1 1

route DMZ 192.1.1.0 255.255.255.0 10.10.10.5 1

route inside 192.168.0.0 255.255.0.0 192.168.10.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa-server AuthInbound max-failed-attempts 3

aaa-server AuthInbound deadtime 10

aaa-server AuthInbound (inside) host 192.168.10.8 xxxx timeout 15

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.10.8

vpdn group 1 client configuration wins Proxy_Internal

vpdn group 1 client authentication aaa AuthInbound

vpdn group 1 pptp echo 60

vpdn enable outside

--------------------------------------------------------------------------

DISCLAIMER: By opening this e-mail you hereby acknowledge that all information given in this e-mail by Barmek Azerbaijan Electricity Network LLC and/or by companies which it owns, controls and/or is affiliated with (altogether Barmek) is confidential and you agree that you will treat it as confidential and will not disclose or release it to any third party or not use it without the prior written consent of Barmek; and you agree that any failure to fullfill above-mentioned requirements will create a serious breach of ethics and law, and you will be responsible for all direct and/or indirect damages/losses and any other consequences that Barmek will encounter.

[Non-text portions of this message have been removed] 

--

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir. 

Listede onerilen cozumlerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, liste uyeleri ya da bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.

Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz. 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.3 : Mon Mar 07 2005 - 08:00:53 EET