04-08-2016 02:39 PM - edited 03-12-2019 12:36 AM
Hi community,
We have a 3945 router configured with a ZBF that serves as a Guest router. We have an issue when a client attempts to initiate a PPTP VPN. I've performed a Wireshark capture and can see the tunnel established (tcp-1723), and the PPP LCP packets from the client (GRE), but I see nothing coming back from the server. As soon as I disable the ZBF the VPN establishes and the traffic is two way, so the issue lies with the ZBF configuration. I've managed to get an extract of the configuration, but am struggling to see where the issue lies. I think it is GRE being blocked, but as far as I can see it is permitted to/from the correct zones.
Any advice on what I may have missed or what configuration needs to be adjusted?
Thanks
04-10-2016 11:36 AM
Please post contents of Access-List "ACL-GUEST-LAN".
04-10-2016 12:12 PM
Hi,
Please see below
ip access-list extended ACL-GUEST-LAN
permit ip 192.168.0.0 0.0.7.255 any
permit ip 172.30.0.0 0.0.0.255 any
This represents the interface IP and a secondary IP I was also testing with. We are currently testing with the 172.30.x.x subnet as a secondary to rule out an issue with the 192.168.x.x.
04-10-2016 12:41 PM
Hi -
I think that you were on the right track. The key is to enable GRE bidirectionally, and you may need to add protocol inspection for PPTP going outbound. I've extracted the relevant portions and added some suggested configuration:
ip access-list extended ACL-GUEST-LAN
permit ip 192.168.0.0 0.0.7.255 any
permit ip 172.30.0.0 0.0.0.255 any
class-map type inspect match-all CLASS-GUEST-2-INTERNET
match access-group name ACL-GUEST-LAN
!!
class-map type inspect match-any GUEST-PROTOCOLS
match protocol pptp
ip access-list extended ACL-GRE
permit gre any any
class-map type inspect match-all CLASS-GRE
match access-group name ACL-GRE
!!
policy-map type inspect POLICY-GUEST-2-INTERNET
class type inspect CLASS-GUEST-2-INTERNET
inspect
class type inspect GUEST-PROTOCOLS
inspect
class type inpsect CLASS-GRE
pass
class class-default
drop
zone-pair security ZP-GUEST-2-INTERNET source guest destination internet
service-policy type inspect POLICY-GUEST-2-INTERNET
!
policy-map type inspect POLICY-INTERNET-2-GUEST
class type inspect CLASS-ICMP-PMTU
pass
class type inpsect CLASS-GRE
pass
class class-default
drop
zone-pair security ZP-INTERNET-2-GUEST source internet destination guest
service-policy type inspect POLICY-INTERNET-2-GUEST
Eric Phillips posted an excellent example on his blog:
http://blog.ephillips.us/2011/02/zone-based-firewall-pptp-pass-through.html
Hope that helps.
PSC
04-11-2016 12:35 PM
Thanks, unfortunately it did not have the desired effect :(
It definitely appears related to an element of the GRE configuration as I am receiving error code 806 on the Windows client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide