01-29-2007 01:51 PM
Hello all,
When moving outbound pptp rules from Pix to 2821 ISR IOS 12.4.
Config is as follows:
ip inspect myfw pptp
int g0/0
ip access-group Acl_Inside in
ip inspect Cbac_Dmz out
ip nat inside
interface Vlan1
description ** Outside **
ip address x.x.x.x 255.255.255.240
ip access-group Acl_Outside in
ip verify unicast reverse-path
ip inspect myfw out
ip nat outside
ip virtual-reassembly
ip nat inside source list Acl_Nat_Outside interface Vlan1 overload
ip access-list extended Acl_Nat_Outside
permit ip any any
ip access-list extended Acl_Inside
permit tcp host <inside IP> host <outside pptp server ip> eq 1723
permit gre host <inside IP> host <outside pptp server ip>
ip access-list extended Acl_Outside
....
If I don't have this in Acl_Outside
permit gre host <outside pptp server ip> host <router outside ip>
returning gre session from outside pptp server can't be established.
On pix, it is not necessary, gre returning session is automatically created.
Furthermore, pptp keyword is not recognized, I must give 1723 instead.
Is it another bug ?
01-30-2007 04:58 AM
Hi,
On PIX the pptp is managed by the "fixup", as the PIX understands the pptp protocol.
How pptp works: you send TCP 1723, return traffic is GRE (IP port 47)
On IOS, you probably need to open the return traffic (GRE):
access-list outbound permit tcp <> <> eq 1723
access-list inbound permit gre <> <>
Please rate if this helped.
Regards,
Daniel
01-30-2007 08:47 AM
thanks for reply,
I agree with your answer because I solved the problem like this on C2821.
Then, what is the purpose of 'ip inspect fw pptp' ?
I thought it was equivalent to Pix fixup pptp or Asa inspect pptp.
Furthermore, opening an inbound permanent gre door is a security hole.
Is it possible to create a reflexive gre ACL ?
Does new Zone based Policy FW in 12.4(6)T holds Pptp return traffic ?
Regards,
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide