PPTP and Zone based Firewall

Unanswered Question
Sep 18th, 2008

Pls help! I configured Zone based firewall and here are a part of my config file:

class-map type inspect match-any test

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls--3

match access-group name Public

class-map type inspect match-all sdm-cls--2

match access-group name Internet

match class-map test

class-map type inspect match-all sdm-cls--1

match access-group name LAN

class-map type inspect match-all sdm-cls--5

match access-group name pristup

class-map type inspect match-all sdm-cls--4

match access-group name VPN

!

!

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--3

class type inspect sdm-cls--3

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2

inspect

class class-default

pass

policy-map type inspect sdm-policy-sdm-cls--5

class type inspect sdm-cls--5

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--4

class type inspect sdm-cls--4

inspect

class class-default

!

zone security visitors

zone security employee

zone security Internet

zone security VPN

zone-pair security sdm-zp-visitors-employee source visitors destination employee

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-employee-Internet source employee destination Internet

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-visitors-Internet source visitors destination Internet

service-policy type inspect sdm-policy-sdm-cls--3

zone-pair security sdm-zp-VPN-employee source VPN destination employee

service-policy type inspect sdm-policy-sdm-cls--4

zone-pair security sdm-zp-Internet-employee source Internet destination employee

service-policy type inspect sdm-policy-sdm-cls--5

...

ip access-list extended Internet

remark SDM_ACL Category=128

permit ip 192.168.201.0 0.0.0.255 any

------------------

With this configuration user from inside cannot establish PPTP connection to outside PPTP server. Where is my mistake?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gerald Vogt Fri, 09/19/2008 - 00:35

I assume here the users are in the employee zone and the PPTP server is in the internet zone.

PPTP uses a TCP connection to establish a GRE link. Your policy sdm-policy-sdm-cls--2 only inspects class sdm-cls--2, i.e. you only inspect tcp and udp traffic. Anything else is passed without inspection.

You don't posted the access list pristup but I guess it won't accept incoming GRE.

I would say you have to remove the test class-map from the sdm-cls--2 class to inspect all IP protocols and not only tcp and udp. Or you add gre to the test class-map if gre is support for "match protocol".

Generally, I find it helpful for debugging to have a "drop log" rule for class-default where you don't pass traffic. It shows you which policy drops the packet and may give you a hint where the problem is.

Actions

This Discussion