I have an 1841 with ADSL WIC and am tyring to connect a Win XP client PC to a remote network running a Windows VPN/RRAS server. In other words, I just need the firewall to pass through PPTP/GRE. If I use the PC with an analogue dial up connection I can connect the VPN fine, but when I try via the 1841 I get "Error 806: A connection between your computer and the VPN server has been established, but the VPN connection cannot be completed.... Verify that protocol 47 (GRE) is allowed..."
Unfortunately neither SDM not the CLI allows me to specify "gre" as a class-map match protocol.
I've even tried opening up everything to that destination but with no success:
class-map type inspect match-any ABC-VPN
match protocol tcp
match protocol udp
match protocol icmp
I have a static NAT for the client (i.e. no pool/overloaded ports) as I found a suggestion that with an older IOS version (12.1T) that this was required (http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/prod_bulletin09186a0080091abd.html#wp45).
IOS version: 12.4(11)T2 and now 12.4(15)T1
It sounds simple to me but is this currently possible? There seems to be some debate about it on this blog (where I have also posted this question): http://ioshints.blogspot.com/2007/05/self-zone-in-zone-based-firewall.html - this suggests that this might not work as planned.
I haven't found anything relevant on NetPro... perhaps not many people are using zone-based firewall config yet as it's still new.