Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4182
Views
0
Helpful
10
Replies

Zone-Based Firewall - GRE Passthrough for PPTP VPN (outbound)

Go to solution
Scott Gardner
Level 1
Level 1

‎06-03-2013 12:26 AM - edited ‎03-11-2019 06:52 PM

Hi All

Hoping someone can help me with an issue I am having with zbf on a router config I have just inherited.

I have configured it to passthrough GRE but the users still cannot connect outbound to a PPTP server on the internet.

I have configured the following:

policy-map type inspect OUT-TO-WORLD

class type inspect URL-FILTER

  inspect

  service-policy urlfilter cppolicymap-1

class type inspect OUT-TO-WORLD

  inspect

class type inspect PASS-ZBF-GRE

  pass

class class-default

  drop

class-map type inspect match-any PASS-ZBF-GRE

match access-group name pass-zbf-gre

Extended IP access list pass-zbf-gre

    10 permit gre any any

And added the same PASS-ZBF-GRE class-map to the IN-FROM-WORLD policy-map too but this has made no change.

Any thoughts?

Scott

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Scott Gardner

‎06-03-2013 05:07 PM

Hello Scott,

It looks good.

Can you add

ip inspect log drop-pkt

And then try to connect and share

show logging | include x.x.x.x (PPTP server)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-03-2013 12:57 PM

Hello Scott,

With PPTP the first connection that will be stablish will be the TCP 1723 so then the traffic gets encapsulated into GRE packets for the data exchange (after both ends authenticate with each other)

Where is the PPTP traffic being inspected?

Is it on the OUT-TO-WORLD class-map

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Scott Gardner
Level 1
Level 1
In response to Julio Carvajal

‎06-03-2013 03:22 PM

Hi

Thanks for your quick reply.

pptp traffic is being inspected in the OUT-TO-WORLD class-map.

Scott

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Scott Gardner

‎06-03-2013 03:24 PM

If possible I would like to check entire Config

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Scott Gardner
Level 1
Level 1
In response to Julio Carvajal

‎06-03-2013 04:41 PM

See attached

15361439-router config.txt.zip
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Scott Gardner

‎06-03-2013 05:07 PM

Hello Scott,

It looks good.

Can you add

ip inspect log drop-pkt

And then try to connect and share

show logging | include x.x.x.x (PPTP server)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Scott Gardner
Level 1
Level 1
In response to Julio Carvajal

‎06-03-2013 08:25 PM

I did as requested but there is nothing in the output at all.

0 Helpful

Go to solution
Scott Gardner
Level 1
Level 1
In response to Scott Gardner

‎06-03-2013 08:40 PM

When trying to telnet to the remote PPTP server on 1723 I get the following also:

telnet x.x.x.x 1723

Trying x.x.x.x, 1723 ...

% Connection timed out; remote host not responding

I have checked on the other end and there is nothing blocking traffic from this location and I can VPN to it from anywhere on the internet, just not this router.

On the windows client I get VPN error 800 (which is generally GRE)

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Scott Gardner

‎06-03-2013 10:57 PM

Hello Scott,

Does not make any sense as the router is not showing any issues,

Let's do a quick ACL check on the router so we can determine if traffic is even reaching the router

ip access-list extended inside_in

permit tcp host client_ip host PPTP_server eq 1723

permit ip any any

ip access-list extended inside_out

permit tcp host PPTP_server eq 1723 host client_ip

permit ip any any

ip access-list extended outside_out

permit tcp host client_ip host PPTP_server eq 1723

permit ip any any

ip access-list extended outside_in

permit tcp host PPTP_server eq 1723 client_ip address_public

permit ip any any

interface inside

ip access-group inside_in in

ip access-group inside_out out

interface gig 0/x outside

ip access-group outside_out

ip access-group outside_in in

Then try to connect and share all of the

show ip access-list for each of the ones,

If we see matches in only one direction then we no this is an uniderectional-problem and if we see traffic stuck in the router then a problem in our site,

Let me know how it goes,

Hey remember to rate all of the helpful posts, that for a free community as this is as important as a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Scott Gardner
Level 1
Level 1
In response to Julio Carvajal

‎06-04-2013 05:58 PM

Hi Julio

Turns out coincidentally the other end was having issues with the PPTP server after I made the GRE changes so all is working now.

Many thanks for your help!

Scott

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Scott Gardner

‎06-04-2013 06:01 PM

Hello,

Yeah, as we saw before the ZBFW was not complaining about any problems,

Glad to see that I could help but remember to rate all of the helpful posts, that for a free community as this is as important as a thanks

Cheers

Julio


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card