Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX PPTP - Nat bypass?

from [Dennis Dimka] Network Security [Permanent Link]
Subject: RE: PIX PPTP - Nat bypass?
Date: Mon, 29 Nov 2004 17:05:56 -0600 
I should also note that I did issue the sysopt command to generally allow
PPTP traffic (sysopt permit-pptp)

 

  _____  

From: Dennis Dimka 
Sent: Monday, November 29, 2004 5:04 PM
To: Firewalls Securityfocus
Cc: Dennis Dimka
Subject: PIX PPTP - Nat bypass?

 

Hello all;

 

I recently configured PPTP on our PIX 515E, and am able to successfully
establish a PPTP VPN connection from the outside.  My problem is this: it
appears as though logically PPTP clients are coming from the "outside"
interface, as they can only access IP addresses and ports that I allow into
the outside interface (web, smtp, the usual).  While this makes sense from
the perspective that the packets are technically coming from the outside...
shouldn't VPN clients have more access, since they've authenticated?

 

My setup is pretty simple:

 

Outside int:       x.x.x.x (public routable IP address)

DMZ int:            10.0.1.1/24

Inside int:          10.0.0.1/24

 

I've assigned an ip pool for PPTP clients of 10.0.0.40-10.0.0.44 (ip local
pool mypool 10.0.0.40-10.0.0.44 mask 255.255.255.0)

 

In the couple of configuration examples I find on Cisco.com, the IP pool for
PPTP clients is always different than the inside interface IP block.  Where
as in my current configuration, they're one in the same (10.0.0.0/24)... or
more accurately, my PPTP IP Pool is within the subnet that the inside
interface resides on.  Cisco's online examples use a completely different IP
subnet for the PPTP pool (192.168.x.x, in their examples), and (apparently)
set up a NAT bypass (nat 0) from internal/private network to PPTP pool
subnet.

 

So... my questions to anyone who might know are:

 

1.      Is having a completely separate subnet (as in cisco's examples) the
preferred way of doing it?
2.      Is the reason I did not put the PPTP pool on its own subnet perhaps
the reason that authenticated PPTP VPN clients only have the same access
levels as someone coming in from the outside interface?
3.      If I create an access list along the lines of 'permit ip 10.0.0.0
255.255.255.0 any' (to allow VPN users access to internal IP addresses and
ports-doesn't that open my network up to spoof attacks (where users could
spoof a source address of 10.0.0.x and effectively bypass my firewall)?

 

Hope these questions make sense.  Thanks in advance to anyone who has any
answers.

 

Dennis Dimka

Network Administrator

MFS, Inc.

dennis.dimka@manna.com

 

Desk: 651-905-7591

Mobile: 612-616-0817

Fax: 651-994-6594
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Cisco PIX 501 [info req], blindhorizon
Next by Date:  RE: PIX PPTP - Nat bypass?, Bernstein, Charlie
Previous by Thread:  PIX PPTP - Nat bypass?, Dennis Dimka
Next by Thread:  RE: PIX PPTP - Nat bypass?, Bernstein, Charlie
Indexes:  [Date] [Thread] [Top] [All Lists]