I have found from past exerience that when you use the same subnet to run the
VPN pool it ends up causeing more headaches then it is worth. If you use a
seperate pool for the VPN then you gain a few things.
1) When doing internal routing of traffic you know when to send the return
packets for the VPN traffic to get back out the tunnel.
2) Stopping the NAT translation on the PIX allows for a simpler rule set then
setting up the seperate lines for each ip address.
3) If you ever more the pool to a different device because you have outgrown
the inital one it is easier to more ablock and just change the general routing
statments then to move the individual IP addresses.
In reguards to question 3.
When the tunnel is established it creates a temp ACL that allows all traffic
though the PIX for the VPN tunnel. THis ACL allows all traffic from the inside
interface to the ip address of the tunnel.
Charlie Bernstein
Project Administrator/IT Administrator
Raven Software
-----Original Message-----
From: Dennis Dimka [mailto:dennis.dimka@manna.com]
Sent: Monday, November 29, 2004 5:04 PM
To: Firewalls Securityfocus
Cc: Dennis Dimka
Subject: PIX PPTP - Nat bypass?
Hello all;
I recently configured PPTP on our PIX 515E, and am able to successfully
establish a PPTP VPN connection from the outside. My problem is this: it
appears as though logically PPTP clients are coming from the "outside"
interface, as they can only access IP addresses and ports that I allow into the
outside interface (web, smtp, the usual). While this makes sense from the
perspective that the packets are technically coming from the outside...
shouldn't VPN clients have more access, since they've authenticated?
My setup is pretty simple:
Outside int: x.x.x.x (public routable IP address)
DMZ int: 10.0.1.1/24
Inside int: 10.0.0.1/24
I've assigned an ip pool for PPTP clients of 10.0.0.40-10.0.0.44 (ip local pool
mypool 10.0.0.40-10.0.0.44 mask 255.255.255.0)
In the couple of configuration examples I find on Cisco.com, the IP pool for
PPTP clients is always different than the inside interface IP block. Where as
in my current configuration, they're one in the same (10.0.0.0/24)... or more
accurately, my PPTP IP Pool is within the subnet that the inside interface
resides on. Cisco's online examples use a completely different IP subnet for
the PPTP pool (192.168.x.x, in their examples), and (apparently) set up a NAT
bypass (nat 0) from internal/private network to PPTP pool subnet.
So... my questions to anyone who might know are:
1. Is having a completely separate subnet (as in cisco's examples) the
preferred way of doing it?
2. Is the reason I did not put the PPTP pool on its own subnet perhaps the
reason that authenticated PPTP VPN clients only have the same access levels as
someone coming in from the outside interface?
3. If I create an access list along the lines of 'permit ip 10.0.0.0
255.255.255.0 any' (to allow VPN users access to internal IP addresses and
ports-doesn't that open my network up to spoof attacks (where users could spoof
a source address of 10.0.0.x and effectively bypass my firewall)?
Hope these questions make sense. Thanks in advance to anyone who has any
answers.
Dennis Dimka
Network Administrator
MFS, Inc.
dennis.dimka@manna.com
Desk: 651-905-7591
Mobile: 612-616-0817
Fax: 651-994-6594
