Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Router: PPTP passthrough stops working

Hi folks,

it drives me crazy for a while. I spent a lot of time getting it solved, but I need your help.

I have a router connected to internet and some clients and a server behind.

The clients access internet using the natted router ip. There are some pptp clients connecting pptps servers on outside.

Local lan =

Server IP =

Ports pptp, https, smtp and rdp are natted from outside to private ip inside lan.

Where https and pptp can be accessed from all, smtp and rdp are just allowed for some speicific ips.

There is a ipsec tunnel to a static peer address.

Everything is working fine, but pptp.

When trying to reach server via https from outside, it is working. When trying pptp it is not.

What is the problem, how can I find out what makes packets drop?

Do I need a gre rule?

The fw and access config:

ip port-map user-protocol-rdp port tcp 3389

class-map type inspect match-all sdm-nat-smtp-1

match protocol smtp

match access-group 103

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 105

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any sdm-nat-pptp-1

match access-group 101

match protocol pptp

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all sdm-nat-user-protocol-rdp-1

match protocol user-protocol-rdp

match access-group 104

class-map type inspect match-all ccp-protocol-http

match protocol http



policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access


class class-default


policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http


class type inspect ccp-insp-traffic


class type inspect ccp-sip-inspect


class type inspect ccp-h323-inspect


class type inspect ccp-h323annexe-inspect


class type inspect ccp-h225ras-inspect


class type inspect ccp-h323nxg-inspect


class type inspect ccp-skinny-inspect


class class-default


policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT


class class-default


policy-map type inspect ccp-pol-outToIn

class type inspect sdm-nat-pptp-1


class type inspect CCP_PPTP


class type inspect sdm-nat-https-1


class type inspect sdm-nat-smtp-1


class type inspect sdm-nat-user-protocol-rdp-1


class class-default

  drop log


zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host any

access-list 100 permit ip any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host

access-list 102 remark CCP_ACL Category=2

access-list 102 remark tunnel net2 webserver

access-list 102 deny   ip

access-list 102 remark tunnel net1 webserver

access-list 102 deny   ip

access-list 102 permit ip any

access-list 103 permit ip object-group SMTP_IN host

access-list 104 permit ip object-group RDP_IN host

access-list 105 remark CCP_ACL Category=144

access-list 105 permit ip host any