0

The company I work for has a client that has a Cisco PIX 506e firewall running v6.3. The PIX is currently set up to manage PPTP VPN connections using the local Windows domain controller as a RADIUS server. The PIX does not support MSCHAP v2 connections, so users cannot connect from Windows 7 workstations.

Our plan is to just disable the VPN connection on the PIX and pass VPN through and let the DC manage it. Problem is, I cannot find any information on disabling the existing VPN setup on the PIX.

I have only moderate experience with PIX's, but to the best of my knowledge, the following is all the commands that control the VPN setup.

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local bigpool
vpdn group 1 client configuration dns local_server_alias 
vpdn group 1 client configuration wins local_server_alias
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 pptp echo 60
vpdn username some_users password ********
vpdn enable outside

I've looked at the PIX v6.3 command reference and I do not seen any information on disabling it. The tftp-server commands reference using a no command to disable the tftp-server, but the vpnd command reference has no information on it. To disable, is it as simple as using a no vpdn enable outside command or doing a no for all of the above commands, or is it something else?

Second, related question is then how to correctly pass VPN through the pix.

Reviewed Cisco Doc ID 18806 and it looks like all I need to do is add the following lines:

access-list acl-out permit gre any host external_ip_of_RRAS 
access-list acl-out permit tcp any host external_ip_of_RRAS eq 1723 
static (inside,outside) external_ip_of_RRAS internal_ip_of_RRAS netmask 255.255.255.255 0 0 
access-group acl-out in interface outside

There is also potentially a PPTP fixup command that may be needed, but it sounds like that is only needed for inside to outside PPTP. Does this look correct or will I need anything more?

Thanks!

Strahn
  • 35
  • 4

1 Answers1

0

You might find yourself in a world of pain if you apply 'acl-out' to your outside interface! If there is already an access-group applied then there is a risk that you will remove all of your existing inbound access.

Before you do anything do a show access-group to check what acl's are already applied (if any). I don't have a PIX v6 to check exactly what the commands would but it'll be something like:-

pix501# show access-group

and you should get a response something like...

access-group outside_acl in interface outside
access-group inside_acl in interface inside

If you do have an access-list applied to your outside interface then you'll want to add to that one rather than creating a new one

pix501(config)# access-list outside_acl permit gre any host external_ip_of_RRAS 
pix501(config)# access-list outside_acl permit tcp any host external_ip_of_RRAS eq 1723
pix501(config)# static (inside,outside) external_ip_of_RRAS internal_ip_of_RRAS

If you don't have an access-list applied to your outside interface, then go ahead an apply that to your outside interface as you have said above.

pix501(config)# access-group outside_acl in interface outside

To disable the exisiting pptp all you need to do is 'no' the vpnd enable statement

pix501(config)# no vpdn enable outside

Similarly, if you want to completely remove all of the vpdn config, just type 'no' in front of the configuration line you'd like to remove

pix501(config)# no vpdn group 1 accept dialin pptp
pix501(config)# no vpdn group 1 ppp authentication pap
pix501(config)# no vpdn group 1 ppp authentication chap
pix501(config)# no vpdn group 1 ppp authentication mschap
pix501(config)# no vpdn group 1 ppp encryption mppe 40
pix501(config)# no vpdn group 1 client configuration address local bigpool
pix501(config)# no vpdn group 1 client configuration dns local_server_alias 
pix501(config)# no vpdn group 1 client configuration wins local_server_alias
pix501(config)# no vpdn group 1 client authentication aaa RADIUS
pix501(config)# no vpdn group 1 pptp echo 60
pix501(config)# no vpdn username some_users
paulos
  • 1,694
  • 10
  • 12
  • There actually is an access list already created for the outside interface. `access-group outside_access_in in interface outside` I had intended to update that from the Cisco example, but was so caught up in removing identifiable IPs & names from our internal config that I forgot. Thanks a lot. Will not be able to test & confirm this until later. – Strahn Sep 14 '11 at 18:30