Re: Restrict PPTP & Lan Access

Communications · ‎05-03-2009

Hi,

I have an 851 router which is configured for IPSEC Vpn Tunnel PPTP & Internet access.

I have 15 or so machines that need to communicate with each other the other 10 or so are managed internally but will also be managed externally

The current config will work however I am concerned about security.

The external companies 3 of them need access to their own specific hosts only and those hosts should have no access to the other hosts or servers on the same subnet (apart from one internal machine).

Ideally I would like to retain remote access for support purposes but if I have to I can completely separate the two sets of machines on physical networks although this will cause some issues

I thought of creating multiple vpdn groups with a single ip address and apply access-lists what is the best way of accomplishing this?

Any suggestions gratefully received

vpdn enable

!

vpdn-group 123

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 101

local name VPN

l2tp tunnel receive-window 128

!

interface Virtual-Template101

ip unnumbered Vlan1

peer default ip address pool pptp-pool

ppp authentication ms-chap

!

interface Vlan1

description Connected to LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool pptp-pool 192.168.20.10 192.168.20.12

htarra · ‎05-10-2009

I think you can configure multi hop vpdn.Multihop virtual private dialup networking (VPDN) is a specialized VPDN configuration that allows packets to pass through multiple tunnels. Ordinarily, packets are not allowed to pass through more than one tunnel. In a multihop deployment, the VPDN tunnel is terminated after each hop and a new tunnel is initiated to the next hop destination.

Communications · ‎05-21-2009

Hi htarra

Thanks for responding in the end I decided to replace the router with an ASA, as we also were also required to seperate the networks