01-05-2012 01:16 PM - edited 03-11-2019 03:10 PM
Hi
I have a router serving as a PPTP server, assigning remote user a ip in the local lan range. From the lan zone (zone_A), I can access another zone directly attached to the router (zone_B). The PPTP server runs on the external wan interface (zone_C). I have a zone pair allowing all traffic from zone_A to zone_B. and it work fine for the local clients really on the lan. However for the clients in PPTP, I have to add another zone pair B to C allowing GRE traffic ... which doesn't make sense (the pptp client should be considered as part of zone A ! the gre encapsulation is from self to C and shouldn't matter).
Example config:
Router 1 (main PPTP server):
hostname r1
no ip domain-lookup
username user@TEST password 0 testpassword
vpdn enable
vpdn-group vpnin
accept-dialin
protocol pptp
virtual-template 1
zone security zone_A
zone security zone_B
zone security zone_C
ip local pool vpn_pool 10.1.0.64 10.1.0.95
interface Loopback 0
ip address 10.1.0.1 255.255.255.0
zone-member security zone_A
interface Virtual-Template1
ip unnumbered Loopback0
no ip route-cache
peer default ip address pool vpn_pool
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
zone-member security zone_A
interface FastEthernet 0/0
ip address 80.80.80.1 255.255.255.0
zone-member security zone_C
no shut
interface FastEthernet 0/1
ip address 10.2.0.1 255.255.255.0
zone-member security zone_B
no shut
ip access-list extended acl_gre
permit gre any any
class-map type inspect cm_gre
match access-group name acl_gre
class-map type inspect match-any cm_all
match protocol icmp
match protocol udp
match protocol tcp
policy-map type inspect pm_gre
class cm_gre
pass
policy-map type inspect pm_all
class cm_all
inspect
zone-pair security zp_A_to_B source zone_A destination zone_B
service-policy type inspect pm_all
zone-pair security zp_B_to_C source zone_B destination zone_C
service-policy type inspect pm_gre
Router 2 (PPTP client):
hostname r2
no ip domain-lookup
interface FastEthernet 0/0
ip address 80.80.80.2 255.255.255.0
no shut
vpdn enable
vpdn-group vpnout
request-dialin
protocol pptp
rotary-group 0
initiate-to ip 80.80.80.1
interface Dialer0
mtu 1450
ip address negotiated
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp chap hostname user@TEST
ppp chap password 0 testpassword
dialer-list 1 protocol ip permit
Router 3 (Random machine in the zone_B to test ping):
hostname r3
no ip domain-lookup
interface FastEthernet 0/0
ip address 10.2.0.2 255.255.255.0
no shut
ip route 10.1.0.0 255.255.255.0 10.2.0.1
So ... why the hell do I need this B_to_C zone pair for it to work ????
01-06-2012 02:09 PM
Hello,
As simple as the ZBFW will see that the connection is being innitiated from a host on zone B eventough he looks like a host from the A zone.
Regards,
01-06-2012 02:31 PM
But why would ZBF see that ?
I'm trying to ping a host in zone B (10.2.0.2 = R3) from the PPTP client (R2) which has its Virtual Access in zone A.
(I'm typing 'ping 10.2.0.2' on a shell on R2)
When I do a "show policy-firewall sessions", I can see that the session is created under the right zone-pair ( A_to_B ).
And the forward packet (echo request from A to B) passes without problem. But the return packet (icmp reply from B to A), is actually somehow put into the B to C zone-pair as a GRE packet, which doesn't make sense to me since:
1) 'C' is the zone of neither the source or destination of that packet
2) The 'GRE' packet encapsulating the response is generated in the router itself and not coming from B and so should be classed as a "self to C" zone-pair packet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide