GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: PPTP VPN with ACL posted 01/26/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Przemek,

    I don't know anything about this virus, but if you're trying to keep
your VPN clients away from the SQL server, why not put some bogus host
routes or arp entries on the SQL server?  Make it so that it can't reach the
VPN clients.  Or else maybe an ACL on inside interface blocking UDP from the
server to the VPN clients.  Use your imagination.  Does your SQL vendor have
a fix?

Chuck Church
CCIE #8776, MCNE, MCSE


----- Original Message -----
From: "Przemyslaw Karwasiecki" <karwas@bellsouth.net>
To: <security@groupstudy.com>
Sent: Saturday, January 25, 2003 9:18 PM
Subject: PPTP VPN with ACL


> Hello,
>
> I am desperately looking for help with PPTP VPN config.
>
> With all this W32.SQL worm in the wild, I have just realized,
> that if any windows machine initiating PPTP VPN connection
> to our PIX is infected, it will infect any machines on our
> inside network.
>
> So I had to shut down VPN, and I am under pressure to re-enable it,
> but I don't know how to apply ACL to connections initiated via PPTP VPN.
>
> I am using ip local pool vpn_clients x.x.x.64-x.x.x.127,
> and x.x.x.0/24 is actually the same network as on inside interface.
>
> Basically, what I am trying to accomplish is to build ACL like this
>
> access-list vpn_acl deny udp x.x.x.64 255.255.255.192 any eq 1434
> access-list vpn_acl permit ip any any
>
> and somehow apply it to all PPTP connections,
> like with this imaginary command:
>
> access-group vpn_acl in vpdn group 1
>
> Is it wishful thinking, or I can do it somehow?
>
> Thanks,
>
> Przemek