Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Cisco vpdn access list

Cisco vpdn access list 10 years 11 months ago #12167

  • suderman
  • suderman's Avatar
  • Offline
  • Frequent Member
  • Posts: 25
  • Karma: 0
Hello !

I have setup a simple vpdn server on a Cisco 800 series router.
It is used for remote users which are using W2k vpn client.
Protocole is pptp.

Users authenticate to the server using usernames defined locally on the router.
Then they get local ip address from pool defined also on the router.
This is working fine and I want it to stay like this.

What I would like to do now is only to make connection possible from several ip addresses.
I know it's possible by creating a simple access list but I don't know to which part of the configuration then assign it.

is also logging of vpdn connetcions possible ?

The configuration of vpdn look like this:

username user password 7 xxxxxxxxxxxxxxx

aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local

vpdn enable

!
vpdn-group 1
! Default PPTP VPDN group
description VPDN Group for remote Windows VPN clients
accept-dialin
protocol pptp
virtual-template 1
!

!
interface Virtual-Template1
ip unnumbered Ethernet1
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!

interface Virtual-Template1
ip unnumbered Ethernet1
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!

ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip access-list standard vpn-users permit xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx


Thank You.
The administrator has disabled public write access.

Re: Cisco vpdn access list 10 years 11 months ago #12206

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
suderman,

Its a good idea to try and restrict access from certain IP addresses. In order to achieve this, you simply require to add the following to the access list binded to your 'outside' interface (e.g dialer interface):

1) Define the access list
access-list 103 permit tcp any host <your router's ip> eq 1723
access-list 103 permit gre any host <your router's ip>

You can change the '103' to whatever number extended access list your using.

2) Bind the access list to your 'outside' interface.

Assuming our outside interface is dialer 0:
sh run:
........
interface Dialer0
description Internet Interface
ip access-group 103 in
........


That should do the job. If you have any problems, let us know!

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Cisco vpdn access list 10 years 11 months ago #12233

  • suderman
  • suderman's Avatar
  • Offline
  • Frequent Member
  • Posts: 25
  • Karma: 0
Thanks,

but doesn't that block other access to internet interface ?
This interface is our default gateway to internet.
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup