ACL query - GRE & PPTP

m-mneimneh · ‎05-06-2007

Hi all,

i'm setting up an inbound ACL on the gateway's WAN interface. i want to allow all GRE & PPTP traffic from my Win2k VPN peers to my Win2k VPN server, and deny other IP traffic to this server. i did the following:

10 permit tcp host remote_peer host 213.42.y.y eq 1723 (9976 matches)

11 permit ip host remote_peer host 213.42.y.y (2019915 matches)

12 permit gre host remote_peer host 213.42.y.y

the tunnel would not establish unless i have an ACL for ip between the 2 peers. any idea why this is so?

kumar.ajeet · ‎05-07-2007

Hi Friend,

You can allow the peer IP's like following commands. Moreover if you can provide the information regarding the setup like how you are securing your GRE traffic over internet or the brief connectivity setup.

Following commands may help you.

access-list 100 permit gre host 192.0.2.1 host 192.0.2.2

access-list 100 deny gre any any

Please reate if it does help

Thanks:

Ajeet

m-mneimneh · ‎05-07-2007

Hello Ajeet,

actually, the ACL entries show:

Extended IP access list Internet_In

10 permit tcp host remote_vpn host 213.42.y.y eq 1723 (10272 matches)

11 permit ip host remote_vpn host 213.42.y.y (2147840 matches)

12 permit gre host remote_vpn host 213.42.y.y

i ran a debug ip packet acl, and i found:

6w5d: IP: s=remote_vpn (Serial0/0/0), d=213.42.y.y (FastEthernet0/0), g=213.42.y.y, len 105, forward, proto=47

6w5d: IP: tableid=0, s=remote_vpn (Serial0/0/0), d=213.42.y.y (FastEthernet0/0), routed via FIB

6w5d: IP: s=remote_vpn (Serial0/0/0), d=213.42.y.y (FastEthernet0/0), g=213.42.y.y, len 56, forward

6w5d: TCP src=1167, dst=1723, seq=530634269, ack=1857572544, win=15640 ACK PSH

so as you can see, the debug shows GRE & PPTP traffic, but no IP; the ACL hits show PPTP & IP matches, but not GRE!

interesting, isn't it?