Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX PPTP - Nat bypass?

from [Andrew Shore] Network Security [Permanent Link]
Subject: RE: PIX PPTP - Nat bypass?
Date: Thu, 2 Dec 2004 18:10:00 -0000 
1st I would always use a separate subnet in this scenario.

 

When trying to connect to resources are you using names or ip addresses
?

 

The servers/services you can connect to is this via their public or
private address and hence are you certain that you are connecting via
the VPN?

 

Edited code may samples may help.

 

Andy

 

 

________________________________

From: Dennis Dimka [mailto:dennis.dimka@manna.com] 
Sent: 29 November 2004 23:06
To: Dennis Dimka; 'Firewalls Securityfocus'
Subject: RE: PIX PPTP - Nat bypass?

 

I should also note that I did issue the sysopt command to generally
allow PPTP traffic (sysopt permit-pptp)

 

________________________________

From: Dennis Dimka 
Sent: Monday, November 29, 2004 5:04 PM
To: Firewalls Securityfocus
Cc: Dennis Dimka
Subject: PIX PPTP - Nat bypass?

 

Hello all;

 

I recently configured PPTP on our PIX 515E, and am able to successfully
establish a PPTP VPN connection from the outside.  My problem is this:
it appears as though logically PPTP clients are coming from the
"outside" interface, as they can only access IP addresses and ports that
I allow into the outside interface (web, smtp, the usual).  While this
makes sense from the perspective that the packets are technically coming
from the outside... shouldn't VPN clients have more access, since
they've authenticated?

 

My setup is pretty simple:

 

Outside int:       x.x.x.x (public routable IP address)

DMZ int:            10.0.1.1/24

Inside int:          10.0.0.1/24

 

I've assigned an ip pool for PPTP clients of 10.0.0.40-10.0.0.44 (ip
local pool mypool 10.0.0.40-10.0.0.44 mask 255.255.255.0)

 

In the couple of configuration examples I find on Cisco.com, the IP pool
for PPTP clients is always different than the inside interface IP block.
Where as in my current configuration, they're one in the same
(10.0.0.0/24)... or more accurately, my PPTP IP Pool is within the
subnet that the inside interface resides on.  Cisco's online examples
use a completely different IP subnet for the PPTP pool (192.168.x.x, in
their examples), and (apparently) set up a NAT bypass (nat 0) from
internal/private network to PPTP pool subnet.

 

So... my questions to anyone who might know are:

 

1.      Is having a completely separate subnet (as in cisco's examples)
the preferred way of doing it?
2.      Is the reason I did not put the PPTP pool on its own subnet
perhaps the reason that authenticated PPTP VPN clients only have the
same access levels as someone coming in from the outside interface?
3.      If I create an access list along the lines of 'permit ip
10.0.0.0 255.255.255.0 any' (to allow VPN users access to internal IP
addresses and ports-doesn't that open my network up to spoof attacks
(where users could spoof a source address of 10.0.0.x and effectively
bypass my firewall)?

 

Hope these questions make sense.  Thanks in advance to anyone who has
any answers.

 

Dennis Dimka

Network Administrator

MFS, Inc.

dennis.dimka@manna.com

 

Desk: 651-905-7591

Mobile: 612-616-0817

Fax: 651-994-6594
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIX PPTP - Nat bypass?, Jim Richards
Next by Date:  Re: PIX Questions, Torben Grisell
Previous by Thread:  RE: PIX PPTP - Nat bypass?, Jim Richards
Next by Thread:  RE: PIX PPTP - Nat bypass?, Vincent Goupil
Indexes:  [Date] [Thread] [Top] [All Lists]