PPTP and Zone based Firewall

Unanswered Question
Sep 18th, 2008

Pls help! I configured Zone based firewall and here are a part of my config file:

class-map type inspect match-any test

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls--3

match access-group name Public

class-map type inspect match-all sdm-cls--2

match access-group name Internet

match class-map test

class-map type inspect match-all sdm-cls--1

match access-group name LAN

class-map type inspect match-all sdm-cls--5

match access-group name pristup

class-map type inspect match-all sdm-cls--4

match access-group name VPN



policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1


class class-default

policy-map type inspect sdm-policy-sdm-cls--3

class type inspect sdm-cls--3


class class-default

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2


class class-default


policy-map type inspect sdm-policy-sdm-cls--5

class type inspect sdm-cls--5


class class-default

policy-map type inspect sdm-policy-sdm-cls--4

class type inspect sdm-cls--4


class class-default


zone security visitors

zone security employee

zone security Internet

zone security VPN

zone-pair security sdm-zp-visitors-employee source visitors destination employee

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-employee-Internet source employee destination Internet

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-visitors-Internet source visitors destination Internet

service-policy type inspect sdm-policy-sdm-cls--3

zone-pair security sdm-zp-VPN-employee source VPN destination employee

service-policy type inspect sdm-policy-sdm-cls--4

zone-pair security sdm-zp-Internet-employee source Internet destination employee

service-policy type inspect sdm-policy-sdm-cls--5


ip access-list extended Internet

remark SDM_ACL Category=128

permit ip any


With this configuration user from inside cannot establish PPTP connection to outside PPTP server. Where is my mistake?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gerald Vogt Fri, 09/19/2008 - 00:35

I assume here the users are in the employee zone and the PPTP server is in the internet zone.

PPTP uses a TCP connection to establish a GRE link. Your policy sdm-policy-sdm-cls--2 only inspects class sdm-cls--2, i.e. you only inspect tcp and udp traffic. Anything else is passed without inspection.

You don't posted the access list pristup but I guess it won't accept incoming GRE.

I would say you have to remove the test class-map from the sdm-cls--2 class to inspect all IP protocols and not only tcp and udp. Or you add gre to the test class-map if gre is support for "match protocol".

Generally, I find it helpful for debugging to have a "drop log" rule for class-default where you don't pass traffic. It shows you which policy drops the packet and may give you a hint where the problem is.


This Discussion