Point-to-Point on PIX - Page 2

In this segment from the Cisco Press book, Cisco Secure Internet Security Solutions, you'll learn commands and parameters for configuring your VPN with Point-to-Point Tunneling Protocol for a PIX Firewall.

 By Cisco Press
Page 2 of 4   |  Back to Page 1
Print Article

The sample configuration used throughout this chapter requires changes to enable PPTP. These are shown in the following configuration. This section examines each of the new commands, after the following new configuration:

 ip local pool thelocalpool
 vpdn enable outside
 vpdn group 1 accept dialin pptp
 vpdn group 1 ppp authentication mschap
 vpdn group 1 client configuration address local thelocalpool
 vpdn group 1 client configuration dns
 vpdn group 1 client configuration wins
 vpdn group 1 client authentication local
 vpdn username joe password joespassword
 vpdn username mary password marryspassword
 sysopt connection permit-pptp

ip local pool Command
An IP local pool is used with VPNs to reserve a range of IP addresses that will be assigned to hosts using VPNs. The addresses in this range must not be in use by any other hosts and should not be used in any other commands. Use the show form of the command to display all of the IP addresses within a pool. The command, reserving IP addresses of through and using the name thelocalpoolfollows.

 ip local pool thelocalpool

vpdn Command
The vpdn command takes many forms. The first line, the vpdn enable outside command, accomplishes two tasks. First, this enables virtual private dial-up network (VPDN) support on the PIX itself. Second, VPDN is enabled on the interface labeled outside by the nameif command. Multiple interfaces accepting PPTP traffic each require a separate vpdn enable interface command. Note that the PIX Firewall only accepts incoming PPTP traffic and cannot be used to initiate a PPTP tunnel.

The basic form of the command, vpdn group 1 accept dialin pptp, associates the VPDN group numbered 1 within other commands. Assuming that multiple PPTP tunnels are to be terminated on this interface, you might wish to set up some users on one tunnel and other users on a different tunnel. In this case, multiple tunnels allow you to accomplish such tasks as assigning different WINS or DNS severs to individuals. The accept dialin pptp portion of this command tells the PIX that it should accept PPTP connections requested by outside entities.

The vpdn group 1 ppp authentication mschap command shown next ensures that the password authentication protocol used within VPDN group 1 is mschap. The other options available on this command are pap and chap.

This article was originally published on Oct 17, 2001
Get the Latest Scoop with Networking Update Newsletter