Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
1
Replies

PPTP filter-ID accesslist

Tommy Svensson
Level 1
Level 1

‎05-02-2011 04:20 AM - edited ‎03-11-2019 01:27 PM

Hi.

I have a network setup like this:

Internet - Cisco 2911 - Multiple VLANs

I have configured access to network 10.10.13.0 through PPTP when you connect to the routers external IP. From there i want people to get access to their own VLAN based on their username and password. I use the windows IAS for authentication and also the RADIUS server sends a filter-id when the authentication is accepted. This filter-id triggers a specified accesslist. In this case it triggers accesslist 150.

The problem is that User-A can get access to the network and the accesslist is triggered but User-A cannot access any other VLAN then VLAN 13 that is the VLAN i use for remote connections. Im wondering if i need to configure a zone-pair and how i should do this.

Regards Tommy Svensson

Here is some of my running config.

aaa authentication login default group radius local
aaa authentication login console none
aaa authentication login SSH local
aaa authentication ppp default group radius local
aaa authorization network default group radius local

vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
 protocol pptp
 virtual-template 1
 l2tp tunnel timeout no-session 15

policy-map type inspect STANDARD
 class type inspect STANDARD
 inspect
 class type inspect STANDARD_OUT_PERMIT
 pass
 class class-default
 drop
policy-map type inspect STANDARD_IN
 class type inspect STANDARD_IN_PERMIT
 pass
 class class-default
 drop

zone security VLAN10_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN11_ZONE
zone security VLAN12_ZONE
zone security VLAN13_ZONE
zone security VLAN14_ZONE
zone security VLAN15_ZONE
zone security VLAN50_ZONE
zone security VLAN100_ZONE
zone security VLAN101_ZONE

zone-pair security WAN_TO_VLAN13 source WAN_ZONE destination VLAN13_ZONE
 service-policy type inspect STANDARD_IN
zone-pair security VLAN_13_TO_WAN source VLAN13_ZONE destination WAN_ZONE
 service-policy type inspect STANDARD

interface GigabitEthernet0/0.13
 description Company13
 encapsulation dot1Q 13
 ip address 10.10.13.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN13_ZONE
 no cdp enable

interface Virtual-Template1
 ip unnumbered GigabitEthernet0/2
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN13_ZONE
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
 !

ip local pool test 10.10.13.50 10.10.13.250

access-list 150 permit ip any any log

Labels:
0 Helpful
1 Reply 1

Tommy Svensson
Level 1
Level 1

‎05-03-2011 02:44 AM

Is there someone that has an idea on this matter?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card