- Posts: 25
- Thank you received: 0
Cisco vpdn access list
18 years 11 months ago #12167
by suderman
Cisco vpdn access list was created by suderman
Hello !
I have setup a simple vpdn server on a Cisco 800 series router.
It is used for remote users which are using W2k vpn client.
Protocole is pptp.
Users authenticate to the server using usernames defined locally on the router.
Then they get local ip address from pool defined also on the router.
This is working fine and I want it to stay like this.
What I would like to do now is only to make connection possible from several ip addresses.
I know it's possible by creating a simple access list but I don't know to which part of the configuration then assign it.
is also logging of vpdn connetcions possible ?
The configuration of vpdn look like this:
username user password 7 xxxxxxxxxxxxxxx
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
description VPDN Group for remote Windows VPN clients
accept-dialin
protocol pptp
virtual-template 1
!
!
interface Virtual-Template1
ip unnumbered Ethernet1
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
interface Virtual-Template1
ip unnumbered Ethernet1
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-list standard vpn-users permit xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
Thank You.
I have setup a simple vpdn server on a Cisco 800 series router.
It is used for remote users which are using W2k vpn client.
Protocole is pptp.
Users authenticate to the server using usernames defined locally on the router.
Then they get local ip address from pool defined also on the router.
This is working fine and I want it to stay like this.
What I would like to do now is only to make connection possible from several ip addresses.
I know it's possible by creating a simple access list but I don't know to which part of the configuration then assign it.
is also logging of vpdn connetcions possible ?
The configuration of vpdn look like this:
username user password 7 xxxxxxxxxxxxxxx
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
description VPDN Group for remote Windows VPN clients
accept-dialin
protocol pptp
virtual-template 1
!
!
interface Virtual-Template1
ip unnumbered Ethernet1
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
interface Virtual-Template1
ip unnumbered Ethernet1
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-list standard vpn-users permit xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
Thank You.
18 years 11 months ago #12206
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Cisco vpdn access list
suderman,
Its a good idea to try and restrict access from certain IP addresses. In order to achieve this, you simply require to add the following to the access list binded to your 'outside' interface (e.g dialer interface):
1) Define the access list
access-list 103 permit tcp any host <your router's ip> eq 1723
access-list 103 permit gre any host <your router's ip>
You can change the '103' to whatever number extended access list your using.
2) Bind the access list to your 'outside' interface.
Assuming our outside interface is dialer 0:
sh run:
........
interface Dialer0
description Internet Interface
ip access-group 103 in
........
That should do the job. If you have any problems, let us know!
Cheers,
Its a good idea to try and restrict access from certain IP addresses. In order to achieve this, you simply require to add the following to the access list binded to your 'outside' interface (e.g dialer interface):
1) Define the access list
access-list 103 permit tcp any host <your router's ip> eq 1723
access-list 103 permit gre any host <your router's ip>
You can change the '103' to whatever number extended access list your using.
2) Bind the access list to your 'outside' interface.
Assuming our outside interface is dialer 0:
sh run:
........
interface Dialer0
description Internet Interface
ip access-group 103 in
........
That should do the job. If you have any problems, let us know!
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
18 years 11 months ago #12233
by suderman
Replied by suderman on topic Re: Cisco vpdn access list
Thanks,
but doesn't that block other access to internet interface ?
This interface is our default gateway to internet.
but doesn't that block other access to internet interface ?
This interface is our default gateway to internet.
Time to create page: 0.118 seconds