PIX 506 VPDN support lacking access-control

ddiggelen · ‎02-02-2005

Hi,

I have configured my pix506 to support/terminate vpdn sessions local on the pix (vpdn group command).

I use pptp and mppe.

As I know from where my users come (source ip) I would like to limit vpdn access to the pix for these source ip addresses only.

Else everyone would be able to repeatedly (try to) connect to my pix (and guessing the password).

I put an ACL in place on the outside interface doing an "deny any any"

I even added a deny for GRE and also for TCP port 1723.

I also removed the "sysopt connection permit-pptp".

However I am still able to succesfully setup a vpdn to the pix.

Question:

Is it possible to filter on source ip for vpdn sessions terminating on the pix, and if so how do you do that ?

rgds,

diederik

sachinraja · ‎02-02-2005

Hi diederik,

You can filter this on the router which is on the outside interface of the PIX. configure ACLs on the router and filter traffic on it based on tcp port 1723... but,, are you sure, the end users will not be affected due to this ? if they are on internet/dialup, are you sure you can restrict only certain ip pools to access this server ?? try this and let us know anyway...

Raj

ddiggelen · ‎02-02-2005

Hi Raj,

thanks for your reply.

I think this would certainly work, but is not an option here as we are not in control of the router in front of the firewall. It is managed by the ISP solely.

You are right with regards to the varying sources.

However all my employees have adsl with static ip address, so it should be pretty much constant.