topic Hi, in Network Security

Issue with ZBF when using PPTP

darren-carr — Tue, 12 Mar 2019 07:36:03 GMT

Hi community,

We have a 3945 router configured with a ZBF that serves as a Guest router. We have an issue when a client attempts to initiate a PPTP VPN. I've performed a Wireshark capture and can see the tunnel established (tcp-1723), and the PPP LCP packets from the client (GRE), but I see nothing coming back from the server. As soon as I disable the ZBF the VPN establishes and the traffic is two way, so the issue lies with the ZBF configuration. I've managed to get an extract of the configuration, but am struggling to see where the issue lies. I think it is GRE being blocked, but as far as I can see it is permitted to/from the correct zones.

Any advice on what I may have missed or what configuration needs to be adjusted?

Thanks

Please post contents of

Paul Chapman — Sun, 10 Apr 2016 18:36:21 GMT

Please post contents of Access-List "ACL-GUEST-LAN".

Hi,

darren-carr — Sun, 10 Apr 2016 19:12:42 GMT

Hi,

Please see below

ip access-list extended ACL-GUEST-LAN
permit ip 192.168.0.0 0.0.7.255 any
permit ip 172.30.0.0 0.0.0.255 any

This represents the interface IP and a secondary IP I was also testing with. We are currently testing with the 172.30.x.x subnet as a secondary to rule out an issue with the 192.168.x.x.

Hi -

Paul Chapman — Sun, 10 Apr 2016 19:41:20 GMT

Hi -

I think that you were on the right track. The key is to enable GRE bidirectionally, and you may need to add protocol inspection for PPTP going outbound. I've extracted the relevant portions and added some suggested configuration:

ip access-list extended ACL-GUEST-LAN
 permit ip 192.168.0.0 0.0.7.255 any
 permit ip 172.30.0.0 0.0.0.255 any
class-map type inspect match-all CLASS-GUEST-2-INTERNET
 match access-group name ACL-GUEST-LAN
!!
class-map type inspect match-any GUEST-PROTOCOLS
 match protocol pptp
ip access-list extended ACL-GRE
 permit gre any any
class-map type inspect match-all CLASS-GRE
 match access-group name ACL-GRE
!!
policy-map type inspect POLICY-GUEST-2-INTERNET
 class type inspect CLASS-GUEST-2-INTERNET
  inspect
 class type inspect GUEST-PROTOCOLS
  inspect
 class type inpsect CLASS-GRE
  pass
 class class-default
  drop
zone-pair security ZP-GUEST-2-INTERNET source guest destination internet
 service-policy type inspect POLICY-GUEST-2-INTERNET
!
policy-map type inspect POLICY-INTERNET-2-GUEST
 class type inspect CLASS-ICMP-PMTU
  pass
 class type inpsect CLASS-GRE
  pass
 class class-default
  drop
zone-pair security ZP-INTERNET-2-GUEST source internet destination guest
 service-policy type inspect POLICY-INTERNET-2-GUEST

Eric Phillips posted an excellent example on his blog:

http://blog.ephillips.us/2011/02/zone-based-firewall-pptp-pass-through.html

Hope that helps.

PSC

Thanks, unfortunately it did

darren-carr — Mon, 11 Apr 2016 19:35:49 GMT

Thanks, unfortunately it did not have the desired effect 😞

It definitely appears related to an element of the GRE configuration as I am receiving error code 806 on the Windows client.