Point-to-Point on PIX - Page 2
The sample configuration used throughout this chapter requires changes to enable PPTP. These are shown in the following configuration. This section examines each of the new commands, after the following new configuration:
ip local pool thelocalpool 10.1.1.50-10.1.1.75 vpdn enable outside vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local thelocalpool vpdn group 1 client configuration dns 10.1.1.41 vpdn group 1 client configuration wins 10.1.1.9 vpdn group 1 client authentication local vpdn username joe password joespassword vpdn username mary password marryspassword sysopt connection permit-pptp
ip local pool Command
An IP local pool is used with VPNs to reserve a range of IP addresses that will be assigned to hosts using VPNs. The addresses in this range must not be in use by any other hosts and should not be used in any other commands. Use the show form of the command to display all of the IP addresses within a pool. The command, reserving IP addresses of 10.1.1.50 through 10.1.1.75 and using the name thelocalpool follows.
ip local pool thelocalpool 10.1.1.50-10.1.1.75
The vpdn command takes many forms. The first line, the vpdn enable outside command, accomplishes two tasks. First, this enables virtual private dial-up network (VPDN) support on the PIX itself. Second, VPDN is enabled on the interface labeled outside by the nameif command. Multiple interfaces accepting PPTP traffic each require a separate vpdn enable interface command. Note that the PIX Firewall only accepts incoming PPTP traffic and cannot be used to initiate a PPTP tunnel.
The basic form of the command, vpdn group 1 accept dialin pptp, associates the VPDN group numbered 1 within other commands. Assuming that multiple PPTP tunnels are to be terminated on this interface, you might wish to set up some users on one tunnel and other users on a different tunnel. In this case, multiple tunnels allow you to accomplish such tasks as assigning different WINS or DNS severs to individuals. The accept dialin pptp portion of this command tells the PIX that it should accept PPTP connections requested by outside entities.
The vpdn group 1 ppp authentication mschap command shown next ensures that the password authentication protocol used within VPDN group 1 is mschap. The other options available on this command are pap and chap.