Showing results for 
Search instead for 
Did you mean: 

ZBF - Return traffic categorized in wrong zone pair !



I have a router serving as a PPTP server, assigning remote user a ip in the local lan range. From the lan zone (zone_A), I can access another zone directly attached to the router (zone_B). The PPTP server runs on the external wan interface (zone_C). I have a zone pair allowing all traffic from zone_A to zone_B. and it work fine for the local clients really on the lan. However for the clients in PPTP, I have to add another zone pair B to C allowing GRE traffic ... which doesn't make sense (the pptp client should be considered as part of zone A ! the gre encapsulation is from self to C and shouldn't matter).

Example config:

Router 1 (main PPTP server):

hostname r1

no ip domain-lookup

username user@TEST password 0 testpassword

vpdn enable

vpdn-group vpnin


  protocol pptp

  virtual-template 1

zone security zone_A

zone security zone_B

zone security zone_C

ip local pool vpn_pool

interface Loopback 0

ip address

zone-member security zone_A

interface Virtual-Template1

ip unnumbered Loopback0

no ip route-cache

peer default ip address pool vpn_pool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

zone-member security zone_A

interface FastEthernet 0/0

ip address

zone-member security zone_C

no shut

interface FastEthernet 0/1

ip address

zone-member security zone_B

no shut

ip access-list extended acl_gre

permit gre any any

class-map type inspect cm_gre

match access-group name acl_gre

class-map type inspect match-any cm_all

match protocol icmp

match protocol udp

match protocol tcp

policy-map type inspect pm_gre

class cm_gre


policy-map type inspect pm_all

class cm_all


zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_all

zone-pair security zp_B_to_C source zone_B destination zone_C

service-policy type inspect pm_gre

Router 2 (PPTP client):

hostname r2

no ip domain-lookup

interface FastEthernet 0/0

  ip address

  no shut

vpdn enable

vpdn-group vpnout


  protocol pptp

  rotary-group 0

initiate-to ip

interface Dialer0

mtu 1450

ip address negotiated

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string 123

dialer vpdn

dialer-group 1

ppp pfc local request

ppp pfc remote apply

ppp encrypt mppe auto

ppp chap hostname user@TEST

ppp chap password 0 testpassword

dialer-list 1 protocol ip permit

Router 3 (Random machine in the zone_B to test ping):

hostname r3

no ip domain-lookup

interface FastEthernet 0/0

ip address

no shut

ip route

So ... why the hell do I need this B_to_C zone pair for it to work ????

2 Replies 2

Julio Carvajal


As simple as the ZBFW will see that the connection is being innitiated from a host on zone B eventough he looks like a host from the A zone.


Julio Carvajal
Senior Network Security and Core Specialist

But why would ZBF see that ?

I'm trying to ping a host in zone B ( = R3) from the PPTP client (R2) which has its Virtual Access in zone A.

(I'm typing 'ping' on a shell on R2)

When I do a "show policy-firewall sessions", I can see that the session is created under the right zone-pair ( A_to_B ).

And the forward packet (echo request from A to B) passes without problem. But the return packet (icmp reply from B to A), is actually somehow put into the B to C zone-pair as a GRE packet, which doesn't make sense to me since:

1) 'C' is the zone of neither the source or destination of that packet

2) The 'GRE' packet encapsulating the response is generated in the router itself and not coming from B and so should be classed as a "self to C" zone-pair packet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers