Point-to-Point on PIX - Page 3

In this segment from the Cisco Press book, Cisco Secure Internet Security Solutions, you'll learn commands and parameters for configuring your VPN with Point-to-Point Tunneling Protocol for a PIX Firewall.

 By Cisco Press
Page 3 of 4   |  Back to Page 1
Print Article

NOTE:   You must also ensure that any associated Windows devices needing to use a PPTP tunnel into your network are also configured correctly. Unless you have set a Microsoft Windows client to require encrypted passwords, the client will first use a clear-text PAP password. This attempt will fail because of your PIX configuration that requires encryption. The client will then attempt to connect using the same password in an encrypted form, which will be successful. Even though the connection is ultimately successful, the password has been sent in clear text and might have been revealed to hackers. Therefore, ensure that encrypted passwords are required on all Microsoft Windows clients used with tunneled connections.

The vpdn group 1 client configuration address local thelocalpool command is used to assign the IP address used by the client while the client is connected through the PPTP connection. Because you created a group called thelocalpool and assigned the addresses of through to that pool, this command assigns the client to look to that pool for one of these available addresses. Limiting the total number of available IP addresses in the pool in turn limits the total number of PPTP connections that can be used simultaneously.

The client configuration form of the vpdn command is used to assign WINS and DNS servers for use by the PPTP client while the client is connected into your system. Both of these commands can take either one or two IP addresses. The order that these IP addresses are entered within the command reflects the order of their use by Windows clients.

The vpdn group 1 client authentication localcommand tells the PIX to look to the local user database to check passwords. If you are using a AAA server for client authentication, you would need to set up the PIX to recognize the AAA server and the need to authenticate PPTP users with lines similar to the following:

 aaa-server TACACS+ (inside) host thekey timeout 20
 client authentication aaa TACACS+

The vpdn username joe password joespassword command enters Joe as a user within the local database and assigns joespassword to Joe. This is the password whose hash result will be sent over the connection through the MS-CHAP authentication process. You have also enabled Mary as a user with a unique password. Once the system is configured to allow one user, allowing other users involves adding a username and password to the PIX configuration.

This article was originally published on Oct 17, 2001
Get the Latest Scoop with Networking Update Newsletter