CISCO PIX PPTP VPN: how to filter remote IP?

[sghezzi]

Hello,

I have enable PIX to accept PPTP VPN from the external world.
It works fine,
The roblem s that I would like to filter the PPTP access only to a couple of remote public IP (at the moment anybody in the Internet can establish a VPN with us...and we don't want this).
I couldn't find a way to do that.

Does anybody know how to do that?

many thanks
best regards

Silvia

 

[adruet]

Let's say that you outside interface's ip address is 100.0.0.1 and you dialin on this interface, you input an access-list like this one:
access-list acl-out permit gre host 100.0.0.1 host 100.0.0.5
access-list acl-out permit tcp host 100.0.0.1 host 100.0.0.5 eq 1723
access-group acl-out in interface outside
This will allow the pptp traffic from the address 100.0.0.5 to the outside interface (all other source address will be denied).
And if you are using a RAS machine which is in your private network you add a static NAT like this:
static (inside,outside) 100.0.0.5 10.250.60.1 netmask 255.255.255.255 0 0

And 10.250.60.1 being your RAS machine's address.
I hope i answered your question.

 

[sghezzi]

I have tried this when I was testing the VPN , but it didn't work.
Consider that now I have an outside access-lits for inbound traffic that is denying any Ip traffic from any address, and still the VPN can be established.
This means that PPTP VPN settings overcome the access-list seeting.

what do you think?

Silvia