Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PPTP and Zone based Firewall

Pls help! I configured Zone based firewall and here are a part of my config file:

class-map type inspect match-any test

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls--3

match access-group name Public

class-map type inspect match-all sdm-cls--2

match access-group name Internet

match class-map test

class-map type inspect match-all sdm-cls--1

match access-group name LAN

class-map type inspect match-all sdm-cls--5

match access-group name pristup

class-map type inspect match-all sdm-cls--4

match access-group name VPN



policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1


class class-default

policy-map type inspect sdm-policy-sdm-cls--3

class type inspect sdm-cls--3


class class-default

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2


class class-default


policy-map type inspect sdm-policy-sdm-cls--5

class type inspect sdm-cls--5


class class-default

policy-map type inspect sdm-policy-sdm-cls--4

class type inspect sdm-cls--4


class class-default


zone security visitors

zone security employee

zone security Internet

zone security VPN

zone-pair security sdm-zp-visitors-employee source visitors destination employee

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-employee-Internet source employee destination Internet

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-visitors-Internet source visitors destination Internet

service-policy type inspect sdm-policy-sdm-cls--3

zone-pair security sdm-zp-VPN-employee source VPN destination employee

service-policy type inspect sdm-policy-sdm-cls--4

zone-pair security sdm-zp-Internet-employee source Internet destination employee

service-policy type inspect sdm-policy-sdm-cls--5


ip access-list extended Internet

remark SDM_ACL Category=128

permit ip any


With this configuration user from inside cannot establish PPTP connection to outside PPTP server. Where is my mistake?

Community Member

Re: PPTP and Zone based Firewall

I assume here the users are in the employee zone and the PPTP server is in the internet zone.

PPTP uses a TCP connection to establish a GRE link. Your policy sdm-policy-sdm-cls--2 only inspects class sdm-cls--2, i.e. you only inspect tcp and udp traffic. Anything else is passed without inspection.

You don't posted the access list pristup but I guess it won't accept incoming GRE.

I would say you have to remove the test class-map from the sdm-cls--2 class to inspect all IP protocols and not only tcp and udp. Or you add gre to the test class-map if gre is support for "match protocol".

Generally, I find it helpful for debugging to have a "drop log" rule for class-default where you don't pass traffic. It shows you which policy drops the packet and may give you a hint where the problem is.

CreatePlease to create content