Windows VPN passthrough with IOS zone-based firewall

Unanswered Question
Jul 27th, 2007

I have an 1841 with ADSL WIC and am tyring to connect a Win XP client PC to a remote network running a Windows VPN/RRAS server. In other words, I just need the firewall to pass through PPTP/GRE. If I use the PC with an analogue dial up connection I can connect the VPN fine, but when I try via the 1841 I get "Error 806: A connection between your computer and the VPN server has been established, but the VPN connection cannot be completed.... Verify that protocol 47 (GRE) is allowed..."

Unfortunately neither SDM not the CLI allows me to specify "gre" as a class-map match protocol.

I've even tried opening up everything to that destination but with no success:

class-map type inspect match-any ABC-VPN

match protocol tcp

match protocol udp

match protocol icmp

I have a static NAT for the client (i.e. no pool/overloaded ports) as I found a suggestion that with an older IOS version (12.1T) that this was required (

IOS version: 12.4(11)T2 and now 12.4(15)T1

It sounds simple to me but is this currently possible? There seems to be some debate about it on this blog (where I have also posted this question): - this suggests that this might not work as planned.

I haven't found anything relevant on NetPro... perhaps not many people are using zone-based firewall config yet as it's still new.

Any thoughts?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
veriton Mon, 09/24/2007 - 01:48

You'll see on the ioshints blog that Luis Santos suggested a workaround to pass GRE traffic through in both directions - check the URL in my original post.

Unfortunately by that point I had reverted to my old interface-based config so I didn't get round to trying it out. Perhaps I'll look at it again in a few months...


This Discussion