Hi Kristian,

My problem is that I am not exactly sure how to allow the traffic through. I have a zone based firewall configured but I got a bit mixed up when I tried to add the VPN stuff. Some of the guides that I tried to follow had me setting up additional zones for the VPN. I tried but it didnt work. I have since removed the additional config. At the moment I am not allowing any additional traffic through.

Heres what I have so far.......

multilink bundle-name authenticated

vpdn enable

!

vpdn-group PPTP-VPN

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

Ive found this guide which im trying to work through. Im getting on ok but am getting a bit stuck with setting the policy maps and zone pair mappings.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml

I added the config that it suggests for the class maps and the policy maps. I then went and tried to put in the config for the zone-pairs. I noticed that this config uses different markings for the in and out zone than mine do. I decided to modify their config to match mine by changing the zone map commands from the ones in the document to the following.

zone-pair security out-self source out-zone destination self

service-policy type inspect Out-Self-Policy

zone-pair security pptp-in source pptp destination in-zone

service-policy type inspect PPTP-In-Policy

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect In-Out-Policy zone-pair security out-self source out-zone destination self
service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination in-zone
service-policy type inspect PPTP-In-Policy
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect In-Out-Policy

I get an error thrown up saying that the pair allready exists. Do I need to merge the config with my existing zone pairs by modifying my policy maps?

Sorry if I am sounding a bit daft but I haven't had much experience modifying the firewall.

Thanks

Chris