Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Microsoft VPN Server in DMZ
- Thread starter JQ95
- Start date
HI.
Will VPN clients need access to internal network, or only to DMZ servers?
Anyway, if you're going to use PPTP - you should open TCP port 1723 (PPTP) and IP protocol 47 (GRE) from the outside to the VPN server.
If you're going to use L2TP with IPSec you need different ports.
If access of VPN clients to internal network is needed, you should handle this also. Use the most restrictive access that is enough for client use, for example if the VPN client needs access to a specific internal server only, then use STATIC and ACCESS-LIST between DMZ and "inside" to define it, similar to publishing services on the "outside".
An alternate option is "nat 0 access-list" so VPN client can access internal addresses of internal servers.
Bye
Yizhar Hurwitz
Will VPN clients need access to internal network, or only to DMZ servers?
Anyway, if you're going to use PPTP - you should open TCP port 1723 (PPTP) and IP protocol 47 (GRE) from the outside to the VPN server.
If you're going to use L2TP with IPSec you need different ports.
If access of VPN clients to internal network is needed, you should handle this also. Use the most restrictive access that is enough for client use, for example if the VPN client needs access to a specific internal server only, then use STATIC and ACCESS-LIST between DMZ and "inside" to define it, similar to publishing services on the "outside".
An alternate option is "nat 0 access-list" so VPN client can access internal addresses of internal servers.
Bye
Yizhar Hurwitz
- Thread starter
- #3
Thanks for your help.
In answer to your question, VPN users will need access to the inside network (not L2TP, just PPTP with IPSec). Do you know of a resource I can use that shows similar configurations/syntax (CCO only showed some examples for opening access to a mail or web server)? Specifically, how do you open IP/47 (I have PPTP/1723 in my ACL already). Will all IPSec traffic be on 1723 or does that need to be addressed seperately?
Thanks!
In answer to your question, VPN users will need access to the inside network (not L2TP, just PPTP with IPSec). Do you know of a resource I can use that shows similar configurations/syntax (CCO only showed some examples for opening access to a mail or web server)? Specifically, how do you open IP/47 (I have PPTP/1723 in my ACL already). Will all IPSec traffic be on 1723 or does that need to be addressed seperately?
Thanks!
HI.
PPTP does not use IPSec. It uses MS encryption and authentication (MS-CHAP), and GRE tunneling.
Here is a sample access-list
access-list fromoutside permit tcp any host x.x.x.x eq 1723
access-list fromoutside permit gre any host x.x.x.x
access-group fromoutside in interface outside
Here are some Cisco docs that are not directly related but will give you more info:
Bye
Yizhar Hurwitz
PPTP does not use IPSec. It uses MS encryption and authentication (MS-CHAP), and GRE tunneling.
Here is a sample access-list
access-list fromoutside permit tcp any host x.x.x.x eq 1723
access-list fromoutside permit gre any host x.x.x.x
access-group fromoutside in interface outside
Here are some Cisco docs that are not directly related but will give you more info:
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question