Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vpdn access list

Hello !

I have setup a simple vpdn server on a Cisco 800 series router.

It is used for remote users which are using W2k vpn client.

Protocole is pptp.

Users authenticate to the server using usernames defined locally on the router.

Then they get local ip address from pool defined also on the router.

This is working fine and I want it to stay like this.

What I would like to do now is only to make connection possible from several ip addresses.

I know it's possible by creating a simple access list but I don't know to which part of the configuration then assign it.

is also logging of vpdn connetcions possible ?

The configuration of vpdn look like this:

username user password 7 xxxxxxxxxxxxxxx

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

description VPDN Group for remote Windows VPN clients

accept-dialin

protocol pptp

virtual-template 1

!

!

interface Virtual-Template1

ip unnumbered Ethernet1

peer default ip address pool vpn-local

no keepalive

ppp encrypt mppe auto

ppp authentication pap chap ms-chap

!

interface Virtual-Template1

ip unnumbered Ethernet1

ip mroute-cache

peer default ip address pool vpn-local

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip access-list standard vpn-users permit xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

------------

Thank You.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Vpdn access list

Was this the configuration you tried my solution ? This shud have been ur VPDN template config

vpdn-group 1

! Default PPTP VPDN group

description VPDN Group for remote Windows VPN clients

accept-dialin

protocol pptp

virtual-template 1

source-ip x.x.x.x // This is important

!

interface Ethernet0

The Source IP is important. After you connected were u able to telnet this x.x.x.x ???

A output of sh vpdn would be useful to find out the source and destination

11 REPLIES
Silver

Re: Vpdn access list

The best way to do this is to apply on the WAN interface through which the PPTP Connections are made. Also what kind of logging are you looking at ? You can always use some kind of accounting thro Radius

New Member

Re: Vpdn access list

if I apply it on WAN interface isn't that block other traffic ?

This interface leads from internal network to internet.

Is there no other way to limit access only to vpdn ?

Silver

Re: Vpdn access list

Hi

I doubt if you can block the source IPs on VPDN. There are couple of other options u can think of

1) See if all the users have the common Hostname and use it to regulate connections

or

2) Use a different Loopback for the PPTP Src and destination and in the access-list permit this IP to all users ,deny it to others so PPTP would come up only for the users permitted in the ACL to this particular IP which is ur PPTP Source.

Let me know if this helps

New Member

Re: Vpdn access list

Thanks for Your answer.

Could You provide me with some details for solution nr 2) ?

Silver

Re: Vpdn access list

Create a loopback x.x.x.x. This will be the Server IP for the clients. They will dial to this IP

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

Source-ip x.x.x.x

!

create an access-list

permit

deny any

permit any any

Apply this on the WAN. This will restrict all connections to the VPDN group. Let me know if this helps

New Member

Re: Vpdn access list

I did as You told me and I've assigned the ip access-list to the interface like this:

(config-if)#ip access-group in

(config-if)#ip access-group out

... but it's not working - I can still connect though I'm not in the ip access-list ... or I'm doing sth wrong ?

Silver

Re: Vpdn access list

Is it possible for you to show the config (with public IPs masked) ? I am sure it is an access-list issue so we should be able to troubleshoot it

New Member

Re: Vpdn access list

Although now conf. is quite different than You proposed me to do but I've tried Your conf. with loopback interface also.

I've pasted only iteresting part of the configuration

!

version 12.3

!

username admin password 7 xxxxxxxxxxxxxxxxxxxxxxx

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

aaa session-id common

ip subnet-zero

!

!

!

vpdn enable

vpdn logging

!

vpdn-group 1

! Default PPTP VPDN group

description VPDN Group for remote Windows VPN clients

accept-dialin

protocol pptp

virtual-template 1

!

interface Ethernet0

ip address yyy.yyy.yyy.yyy

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 32 in

!

interface Ethernet1

ip address xxx.xxx.xxx.xxx

ip access-group 150 in

ip nat outside

ip virtual-reassembly

service-policy output inbound-http

duplex auto

no cdp enable

crypto map crmap

!

interface Virtual-Template1

ip unnumbered Ethernet1

ip mroute-cache

peer default ip address pool vpn-local

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool vpn-local zzz.zzz.zzz.zzz zzz.zzz.zzz.zzz

!

access-list 150 permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx eq 1723

access-list 150 permit gre xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

access-list 150 permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx eq 1723

access-list 150 permit gre xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

access-list 150 deny gre any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

access-list 150 deny tcp any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx eq 1723

access-list 150 permit ip any any

!

end

Silver

Re: Vpdn access list

Was this the configuration you tried my solution ? This shud have been ur VPDN template config

vpdn-group 1

! Default PPTP VPDN group

description VPDN Group for remote Windows VPN clients

accept-dialin

protocol pptp

virtual-template 1

source-ip x.x.x.x // This is important

!

interface Ethernet0

The Source IP is important. After you connected were u able to telnet this x.x.x.x ???

A output of sh vpdn would be useful to find out the source and destination

New Member

Re: Vpdn access list

the effect is that I can still connect even if I'm not in the access list. :(

New Member

Re: Vpdn access list

Hello !

Just to inform You that I managed to restrict vpdn for specific source IP address.

I've created the access list then apply it to WAN intrface.

I didn't have to create loopback interface

for Source IP in vpdn-group I use ip of WAN interface

Tnaks

737
Views
0
Helpful
11
Replies
CreatePlease login to create content