cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2295
Views
0
Helpful
10
Replies
mateomateo1
Beginner

Zone based firewall and vpn access

My vpn connections out and in are not working through zbfw, what can be wrong?

class-map type inspect match-any CM_GRE_PROTOCOLS

match access-group name GRE

class-map type inspect match-any classmap2

match access-group 110

class-map type inspect match-any classmap1

match protocol tcp

match protocol udp

match protocol icmp

match protocol pptp

class-map match-any p2p

match protocol gnutella

match protocol kazaa2

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent

!

!

policy-map policy-p2p

class p2p

  drop

policy-map type inspect policymap1

class type inspect classmap1

  inspect

class type inspect CM_GRE_PROTOCOLS

  pass

class class-default

  drop log

policy-map type inspect policymap2

class type inspect classmap2

  inspect

class type inspect CM_GRE_PROTOCOLS

  pass

class class-default

  drop log

!

zone security inside

zone security outside

zone-pair security in-to-out source inside destination outside

service-policy type inspect policymap1

zone-pair security out-to-in source outside destination inside

service-policy type inspect policymap2

ip access-list extended GRE

remark Access List to allow PPTP GRE outbound

permit gre any any

ip nat inside source static tcp 10.28.24.2 1723 x.x.x.x 1723 extendable

10 REPLIES 10

Hi Matt,

What is not working?

VPN connections to the Router?

VPN clients connected but unable to reach internal resources?

VPN connnections passing through the Router?

Thanks.

Portu.

Please rate any helpful posts

i have internal vpn set up on windows server but cant get from outside, also if i am trying to connect from inside to outside (also to windows 2008 vpn server) it is also failing. zbfw not allowing any type of vpn passthrough

Matt,

Please run the following command in configuration mode:

ip inspect log drop-pkt

Then try to connect, attach the output, it will help us identify where the issue is.

Thanks.

Portu.

Please rate any helpful posts

Julio Carvajal
Advisor

Hello Matt,

So this is just for PTTP traffic right?

Also can you share the show access-list 110?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio is right, I have been asking about IPsec (since this is the VPN forum) but, is this for PPTP traffic?

Thanks.

I am sorry guys this is about pptp connections in and out...

access-list 110 permit tcp any host 10.28.3.2 eq smtp

access-list 110 permit tcp any host 10.28.3.2 eq www

access-list 110 permit tcp any host 10.28.3.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq www

access-list 110 permit tcp any host 10.28.24.2 eq smtp

access-list 110 permit tcp any host 10.28.24.2 eq 987

access-list 110 permit tcp any host 10.28.24.2 eq 1723

access-list 110 permit tcp any host 10.28.3.2 eq smtp

access-list 110 permit tcp any host 10.28.3.2 eq www

access-list 110 permit tcp any host 10.28.3.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq www

access-list 110 permit tcp any host 10.28.24.2 eq smtp

access-list 110 permit tcp any host 10.28.24.2 eq 987

access-list 110 permit tcp any host 10.28.24.2 eq 1723

I would suggest adjusting your settings accordingly, if you still face issues, let us know.

HTH.

Hello Mat,

We are still waiting for the IP inspect-log drop packets logs... Do the following and let me know the results:

Can you do the following please:

ip access-list extended GRE

remark Access List to allow PPTP GRE outbound

permit gre any any

Ip access-list ext PPTP

permit tcp any host 10.28.24.2 eq 1723

class-map GRE

match access-group GRE

class-map type inspect match-all PPTP_out_in

match protocol PPTP

match access-group PPTP

class-map type inspect match-all PPTP_in_out

match protocol PPTP

policy-map type inspect policymap1

class  PPTP_in_out

inspect

class GRE

pass

policy-map type inspect policymap2

class  PPTP_out_in

inspect

class GRE

pass

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hello, I have following dropouts, bolded ones are when I am trying to connect to windows 2008 vpn server.

There are also different dropouts every minute but so far nobody reports that to me.

jcarvaja when i try to add class GRE on policymap1 I am getting

% class GRE of type default is not allowed in policy-map policymap1 of type inspect

Oct 9 12:10:14: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.10:3808 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0

Oct 9 12:10:49: %FW-6-DROP_PKT: Dropping tcp session 77.72.118.168:80 10.28.3.53:49533 due to SYN inside current window with ip ident 0

Oct 9 12:11:21: %FW-6-DROP_PKT: Dropping Unknown-l4 session 81.143.27.54:0 10.28.3.2:0 on zone-pair out-to-in class classmap2 due to Invalid Segment with ip ident 0

Oct 9 12:11:52: %FW-6-DROP_PKT: Dropping Unknown-l4 session 81.143.27.54:0 10.28.3.2:0 on zone-pair out-to-in class classmap2 due to Invalid Segment with ip ident 0

Oct 9 12:12:22: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.10:3808 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0

Oct 9 12:12:58: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.11:3606 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0

Create
Recognize Your Peers
Content for Community-Ad