Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
1
Replies

PPTP and Zone based Firewall

mljevakovic
Level 3
Level 3

‎09-18-2008 01:32 PM - edited ‎03-11-2019 06:46 AM

Pls help! I configured Zone based firewall and here are a part of my config file:

class-map type inspect match-any test

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls--3

match access-group name Public

class-map type inspect match-all sdm-cls--2

match access-group name Internet

match class-map test

class-map type inspect match-all sdm-cls--1

match access-group name LAN

class-map type inspect match-all sdm-cls--5

match access-group name pristup

class-map type inspect match-all sdm-cls--4

match access-group name VPN

!

!

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--3

class type inspect sdm-cls--3

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2

inspect

class class-default

pass

policy-map type inspect sdm-policy-sdm-cls--5

class type inspect sdm-cls--5

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--4

class type inspect sdm-cls--4

inspect

class class-default

!

zone security visitors

zone security employee

zone security Internet

zone security VPN

zone-pair security sdm-zp-visitors-employee source visitors destination employee

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-employee-Internet source employee destination Internet

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-visitors-Internet source visitors destination Internet

service-policy type inspect sdm-policy-sdm-cls--3

zone-pair security sdm-zp-VPN-employee source VPN destination employee

service-policy type inspect sdm-policy-sdm-cls--4

zone-pair security sdm-zp-Internet-employee source Internet destination employee

service-policy type inspect sdm-policy-sdm-cls--5

...

ip access-list extended Internet

remark SDM_ACL Category=128

permit ip 192.168.201.0 0.0.0.255 any

------------------

With this configuration user from inside cannot establish PPTP connection to outside PPTP server. Where is my mistake?

Labels:
0 Helpful
1 Reply 1

Gerald Vogt
Level 3
Level 3

‎09-19-2008 12:35 AM

I assume here the users are in the employee zone and the PPTP server is in the internet zone.

PPTP uses a TCP connection to establish a GRE link. Your policy sdm-policy-sdm-cls--2 only inspects class sdm-cls--2, i.e. you only inspect tcp and udp traffic. Anything else is passed without inspection.

You don't posted the access list pristup but I guess it won't accept incoming GRE.

I would say you have to remove the test class-map from the sdm-cls--2 class to inspect all IP protocols and not only tcp and udp. Or you add gre to the test class-map if gre is support for "match protocol".

Generally, I find it helpful for debugging to have a "drop log" rule for class-default where you don't pass traffic. It shows you which policy drops the packet and may give you a hint where the problem is.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card