Point-to-Point on PIX - Page 2

By Cisco Press | Posted Oct 17, 2001
Page 2 of 4   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The sample configuration used throughout this chapter requires changes to enable PPTP. These are shown in the following configuration. This section examines each of the new commands, after the following new configuration:

 ip local pool thelocalpool 10.1.1.50-10.1.1.75
 vpdn enable outside
 vpdn group 1 accept dialin pptp
 vpdn group 1 ppp authentication mschap
 vpdn group 1 client configuration address local thelocalpool
 vpdn group 1 client configuration dns 10.1.1.41
 vpdn group 1 client configuration wins 10.1.1.9
 vpdn group 1 client authentication local
 vpdn username joe password joespassword
 vpdn username mary password marryspassword
 sysopt connection permit-pptp

ip local pool Command
An IP local pool is used with VPNs to reserve a range of IP addresses that will be assigned to hosts using VPNs. The addresses in this range must not be in use by any other hosts and should not be used in any other commands. Use the show form of the command to display all of the IP addresses within a pool. The command, reserving IP addresses of 10.1.1.50 through 10.1.1.75 and using the name thelocalpool follows.

 ip local pool thelocalpool 10.1.1.50-10.1.1.75

vpdn Command
The vpdn command takes many forms. The first line, the vpdn enable outside command, accomplishes two tasks. First, this enables virtual private dial-up network (VPDN) support on the PIX itself. Second, VPDN is enabled on the interface labeled outside by the nameif command. Multiple interfaces accepting PPTP traffic each require a separate vpdn enable interface command. Note that the PIX Firewall only accepts incoming PPTP traffic and cannot be used to initiate a PPTP tunnel.

The basic form of the command, vpdn group 1 accept dialin pptp, associates the VPDN group numbered 1 within other commands. Assuming that multiple PPTP tunnels are to be terminated on this interface, you might wish to set up some users on one tunnel and other users on a different tunnel. In this case, multiple tunnels allow you to accomplish such tasks as assigning different WINS or DNS severs to individuals. The accept dialin pptp portion of this command tells the PIX that it should accept PPTP connections requested by outside entities.

The vpdn group 1 ppp authentication mschap command shown next ensures that the password authentication protocol used within VPDN group 1 is mschap. The other options available on this command are pap and chap.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter