Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1679
Views
0
Helpful
0
Replies

PPTP VPN on a Cisco 877 router - ZBPF

sergio.paganoni
Level 1
Level 1

‎07-13-2010 08:57 AM

Hi there,

I'm trying to configure a PPTP tunnel for remote users to access inside network resources, before enabling the firewall (ZBPF) all worked perfectly, tunnel comes up and worked perfectly.

Once I've tried to define zone-pair/policy-maps the VPN connection never came up again. Here is my firewall configuration:

class-map type inspect match-all PPTP-Pass-Through-Traffic
match access-group name PPTP-PASS-THROUGH
class-map type inspect match-any All-Traffic
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all Router-Access-Traffic
match access-group name Router-Access
class-map type inspect match-all PPTP-Terminated-Traffic
match access-group name PPTP-TERMINATED
!
!
policy-map type inspect PPTP-In-Policy
class type inspect All-Traffic
  inspect
class class-default
  drop log
policy-map type inspect Out-In-Policy
class type inspect PPTP-Pass-Through-Traffic
  pass
class class-default
  drop
policy-map type inspect In-Out-Policy
class type inspect All-Traffic
  inspect
class class-default
  drop log
policy-map type inspect Out-Self-Policy
class type inspect Router-Access-Traffic
  pass
class type inspect PPTP-Terminated-Traffic
  inspect
class class-default
  drop log
!
zone security outside
zone security inside
zone security pptp
zone-pair security outside-self source outside destination self
service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination inside
service-policy type inspect PPTP-In-Policy
zone-pair security inside-outside source inside destination outside
service-policy type inspect In-Out-Policy
!   

ip access-list extended PPTP-PASS-THROUGH
permit gre any any
ip access-list extended PPTP-TERMINATED
permit gre any any
permit tcp any any eq 1723
ip access-list extended Router-Access
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq 443
!

pptp zone is associated with the Virtual-Template used for the pptp connections.

Here is the error log message:

Jul 13 17:46:47: %FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 Y.Y.Y.Y.14:0 on zone-pair outside-self class class-default due to  DROP action found in policy-map with ip ident 0

where XXXX is the remote IP (for the user who's trying to connect)

and YYYY is the router IP address.

Router version:

Version 12.4(24)T3, RELEASE SOFTWARE (fc2)

The remote client (windows software) give the following error after a while (freeze on authenticating user and password):

Error 734: The PPP link control protocol was terminated

I've no idea how to solve this... I've followed exactly this tutorial from Cisco: https://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml

Thanks for your help!

Sergio

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents