Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
4
Replies

Issue with ZBF when using PPTP

darren-carr
Level 2
Level 2

‎04-08-2016 02:39 PM - edited ‎03-12-2019 12:36 AM

Hi community,

We have a 3945 router configured with a ZBF that serves as a Guest router. We have an issue when a client attempts to initiate a PPTP VPN. I've performed a Wireshark capture and can see the tunnel established (tcp-1723), and the PPP LCP packets from the client (GRE), but I see nothing coming back from the server. As soon as I disable the ZBF the VPN establishes and the traffic is two way, so the issue lies with the ZBF configuration. I've managed to get an extract of the configuration, but am struggling to see where the issue lies. I think it is GRE being blocked, but as far as I can see it is permitted to/from the correct zones.

Any advice on what I may have missed or what configuration needs to be adjusted?

Thanks

Labels:
Preview file
4 KB
0 Helpful
4 Replies 4

Paul Chapman
Level 4
Level 4

‎04-10-2016 11:36 AM

Please post contents of Access-List "ACL-GUEST-LAN".

0 Helpful

darren-carr
Level 2
Level 2
In response to Paul Chapman

‎04-10-2016 12:12 PM

Hi,

Please see below

ip access-list extended ACL-GUEST-LAN
 permit ip 192.168.0.0 0.0.7.255 any
 permit ip 172.30.0.0 0.0.0.255 any

This represents the interface IP and a secondary IP I was also testing with. We are currently testing with the 172.30.x.x subnet as a secondary to rule out an issue with the 192.168.x.x.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to darren-carr

‎04-10-2016 12:41 PM

Hi -

I think that you were on the right track.  The key is to enable GRE bidirectionally, and you may need to add protocol inspection for PPTP going outbound.  I've extracted the relevant portions and added some suggested configuration:

ip access-list extended ACL-GUEST-LAN
 permit ip 192.168.0.0 0.0.7.255 any
 permit ip 172.30.0.0 0.0.0.255 any
class-map type inspect match-all CLASS-GUEST-2-INTERNET
 match access-group name ACL-GUEST-LAN
!!
class-map type inspect match-any GUEST-PROTOCOLS
 match protocol pptp
ip access-list extended ACL-GRE
 permit gre any any
class-map type inspect match-all CLASS-GRE
 match access-group name ACL-GRE
!!
policy-map type inspect POLICY-GUEST-2-INTERNET
 class type inspect CLASS-GUEST-2-INTERNET
  inspect
 class type inspect GUEST-PROTOCOLS
  inspect
 class type inpsect CLASS-GRE
  pass
 class class-default
  drop
zone-pair security ZP-GUEST-2-INTERNET source guest destination internet
 service-policy type inspect POLICY-GUEST-2-INTERNET
!
policy-map type inspect POLICY-INTERNET-2-GUEST
 class type inspect CLASS-ICMP-PMTU
  pass
 class type inpsect CLASS-GRE
  pass
 class class-default
  drop
zone-pair security ZP-INTERNET-2-GUEST source internet destination guest
 service-policy type inspect POLICY-INTERNET-2-GUEST

Eric Phillips posted an excellent example on his blog:

http://blog.ephillips.us/2011/02/zone-based-firewall-pptp-pass-through.html

Hope that helps.

PSC

0 Helpful

darren-carr
Level 2
Level 2
In response to Paul Chapman

‎04-11-2016 12:35 PM

Thanks, unfortunately it did not have the desired effect :(

It definitely appears related to an element of the GRE configuration as I am receiving error code 806 on the Windows client.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card