https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243554#M348748 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yeah, as we saw before the ZBFW was not complaining about any problems,</P><P></P><P><STRONG>Glad to see that I could help but remembe</STRONG>r <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">to rate all of the helpful posts, that for a free community as this is as important as a thanks</STRONG></P><P></P><P>Cheers</P><P><SPAN style="font-size: 12px; font-family: Arial, verdana, sans-serif;"><STRONG>Julio</STRONG></SPAN></P><P></P><P><SPAN style="font-size: 12px; font-family: Arial, verdana, sans-serif;"><STRONG><BR /></STRONG></SPAN></P></BODY></HTML> Wed, 05 Jun 2013 01:01:16 GMT Julio Carvajal 2013-06-05T01:01:16Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243544#M348738 <P>Hi All</P><P></P><P>Hoping someone can help me with an issue I am having with zbf on a router config I have just inherited.</P><P></P><P>I have configured it to passthrough GRE but the users still cannot connect <SPAN style="text-decoration: underline;">outbound</SPAN> to a PPTP server on the internet.</P><P></P><P>I have configured the following:</P><P></P><P>policy-map type inspect OUT-TO-WORLD</P><P>class type inspect URL-FILTER</P><P>&nbsp; inspect</P><P>&nbsp; service-policy urlfilter cppolicymap-1</P><P>class type inspect OUT-TO-WORLD</P><P>&nbsp; inspect</P><P>class type inspect PASS-ZBF-GRE</P><P>&nbsp; pass</P><P>class class-default</P><P>&nbsp; drop</P><P></P><P></P><P>class-map type inspect match-any PASS-ZBF-GRE</P><P>match access-group name pass-zbf-gre</P><P></P><P></P><P>Extended IP access list pass-zbf-gre</P><P>&nbsp;&nbsp;&nbsp; 10 permit gre any any</P><P></P><P></P><P>And added the same PASS-ZBF-GRE class-map to the IN-FROM-WORLD policy-map too but this has made no change.</P><P></P><P></P><P>Any thoughts?</P><P></P><P>Scott</P> Tue, 12 Mar 2019 01:52:24 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243544#M348738 Scott Gardner 2019-03-12T01:52:24Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243545#M348739 <HTML><HEAD></HEAD><BODY><P>Hello Scott,</P><P></P><P>With PPTP the first connection that will be stablish will be the TCP 1723 so then the traffic gets encapsulated into GRE packets for the data exchange (after both ends authenticate with each other)</P><P></P><P>Where is the PPTP traffic being inspected?</P><P></P><P>Is it on the <SPAN style="font-size: 10pt;">OUT-TO-WORLD class-map </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Regards</SPAN></P></BODY></HTML> Mon, 03 Jun 2013 19:57:02 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243545#M348739 Julio Carvajal 2013-06-03T19:57:02Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243546#M348740 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Thanks for your quick reply. </P><P></P><P>pptp traffic is being inspected in the OUT-TO-WORLD class-map.</P><P></P><P>Scott</P></BODY></HTML> Mon, 03 Jun 2013 22:22:48 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243546#M348740 Scott Gardner 2013-06-03T22:22:48Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243547#M348741 <HTML><HEAD></HEAD><BODY><P>If possible I would like to check entire Config</P></BODY></HTML> Mon, 03 Jun 2013 22:24:25 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243547#M348741 Julio Carvajal 2013-06-03T22:24:25Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243548#M348742 <HTML><HEAD></HEAD><BODY><P>See attached</P></BODY></HTML> Mon, 03 Jun 2013 23:41:26 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243548#M348742 Scott Gardner 2013-06-03T23:41:26Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243549#M348743 <HTML><HEAD></HEAD><BODY><P>Hello Scott,</P><P></P><P>It looks good.</P><P></P><P>Can you add</P><P>ip inspect log drop-pkt</P><P></P><P>And then try to connect and share</P><P>show logging | include x.x.x.x (PPTP server)</P></BODY></HTML> Tue, 04 Jun 2013 00:07:16 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243549#M348743 Julio Carvajal 2013-06-04T00:07:16Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243550#M348744 <HTML><HEAD></HEAD><BODY><P>I did as requested but there is nothing in the output at all.</P></BODY></HTML> Tue, 04 Jun 2013 03:25:37 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243550#M348744 Scott Gardner 2013-06-04T03:25:37Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243551#M348745 <HTML><HEAD></HEAD><BODY><P>When trying to telnet to the remote PPTP server on 1723 I get the following also:</P><P></P><P></P><P>telnet x.x.x.x 1723</P><P>Trying x.x.x.x, 1723 ...</P><P>% Connection timed out; remote host not responding</P><P></P><P></P><P>I have checked on the other end and there is nothing blocking traffic from this location and I can VPN to it from anywhere on the internet, just not this router.</P><P></P><P>On the windows client I get VPN error 800 (which is generally GRE)</P></BODY></HTML> Tue, 04 Jun 2013 03:40:01 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243551#M348745 Scott Gardner 2013-06-04T03:40:01Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243552#M348746 <HTML><HEAD></HEAD><BODY><P>Hello Scott,</P><P></P><P>Does not make any sense as the router is not showing any issues,</P><P></P><P>Let's do a quick ACL check on the router so we can determine if traffic is even reaching the router</P><P></P><P>ip access-list extended inside_in</P><P>permit tcp host client_ip host PPTP_server eq 1723</P><P>permit ip any any</P><P></P><P>ip access-list extended inside_out</P><P>permit tcp host PPTP_server eq 1723 host client_ip</P><P>permit ip any any</P><P></P><P>ip access-list extended outside_out</P><P>permit tcp host client_ip host PPTP_server eq 1723</P><P>permit ip any any</P><P></P><P>ip access-list extended outside_in </P><P>permit tcp host PPTP_server eq 1723 client_ip address_public</P><P>permit ip any any</P><P></P><P>interface inside</P><P>ip access-group inside_in in</P><P>ip access-group inside_out out</P><P></P><P>interface gig 0/x outside</P><P>ip access-group outside_out</P><P>ip access-group outside_in in </P><P></P><P>Then try to connect and share all of the </P><P>show ip access-list for each of the ones,</P><P></P><P>If we see matches in only one direction then we no this is an uniderectional-problem and if we see traffic stuck in the router then a problem in our site,</P><P></P><P>Let me know how it goes,</P><P></P><P><STRONG>Hey remember to rate all of the helpful posts, that for a free community as this is as important as a thanks </STRONG></P><P></P><P>Julio </P></BODY></HTML> Tue, 04 Jun 2013 05:57:30 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243552#M348746 Julio Carvajal 2013-06-04T05:57:30Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243553#M348747 <HTML><HEAD></HEAD><BODY><P>Hi Julio</P><P></P><P>Turns out coincidentally the other end was having issues with the PPTP server after I made the GRE changes so all is working now.</P><P></P><P>Many thanks for your help!</P><P></P><P>Scott</P></BODY></HTML> Wed, 05 Jun 2013 00:58:11 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243553#M348747 Scott Gardner 2013-06-05T00:58:11Z https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243554#M348748 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yeah, as we saw before the ZBFW was not complaining about any problems,</P><P></P><P><STRONG>Glad to see that I could help but remembe</STRONG>r <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">to rate all of the helpful posts, that for a free community as this is as important as a thanks</STRONG></P><P></P><P>Cheers</P><P><SPAN style="font-size: 12px; font-family: Arial, verdana, sans-serif;"><STRONG>Julio</STRONG></SPAN></P><P></P><P><SPAN style="font-size: 12px; font-family: Arial, verdana, sans-serif;"><STRONG><BR /></STRONG></SPAN></P></BODY></HTML> Wed, 05 Jun 2013 01:01:16 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-gre-passthrough-for-pptp-vpn-outbound/m-p/2243554#M348748 Julio Carvajal 2013-06-05T01:01:16Z