Hi we are planning to establish a VPN using cisco routers to do PPTP (GRE). There is a debian firewall at our end which has 3 network cards.. one connects to our isp via isdn, the second is for our DMZ quarantine zone, and the third is for our local network. Where would be the best place to setup the cisco router? would it be in the DMZ?
Debian version is old 1.3 with kernel 2.0.34 which uses ipfwadm as opposed to the more secure ipchains...at present i am not too sure how to upgrade to use ipchains so i am temporarily using our current setup so as to quickly establish the VPN...at a later date i will look into upgrading to a newer Debian version/kernel that supports ipchains. I do not think we need ipmasquerading as we connect to the outside with a registered address via the first ethernet card... the following ipfwadm commands is what i am going to add to the ipforwarding rules : # Allow the PPTP control channel in and out. ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P tcp -S 199.0.0.2/32 -D 222.0.0.2/32 1723 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P tcp -D 199.0.0.2/32 -S 222.0.0.2/32 1723 # Specify the acceptable clients explicitly for tighter security. # Note that this is too open since we're forced to # specify "-P all" rather than "-P 47" or "-P 50"... # Allow the PPTP data channel and IPsec ESP traffic in and out. ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P all -S 199.0.0.2/32 -D 222.0.0.2/32 ipfwadm -0 -a accept -W eth1 -V 200.200.200.200 -P all -D 199.0.0.2/32 -S 222.0.0.2/32 Are there any other considerations that i have not thought of...? i appreciate your help as VPN/firewalling is new and slightly cryptic to me. thanx
