Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBF - Return traffic categorized in wrong zone pair !


I have a router serving as a PPTP server, assigning remote user a ip in the local lan range. From the lan zone (zone_A), I can access another zone directly attached to the router (zone_B). The PPTP server runs on the external wan interface (zone_C). I have a zone pair allowing all traffic from zone_A to zone_B. and it work fine for the local clients really on the lan. However for the clients in PPTP, I have to add another zone pair B to C allowing GRE traffic ... which doesn't make sense (the pptp client should be considered as part of zone A ! the gre encapsulation is from self to C and shouldn't matter).

Example config:

Router 1 (main PPTP server):

hostname r1

no ip domain-lookup

username user@TEST password 0 testpassword

vpdn enable

vpdn-group vpnin


  protocol pptp

  virtual-template 1

zone security zone_A

zone security zone_B

zone security zone_C

ip local pool vpn_pool

interface Loopback 0

ip address

zone-member security zone_A

interface Virtual-Template1

ip unnumbered Loopback0

no ip route-cache

peer default ip address pool vpn_pool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

zone-member security zone_A

interface FastEthernet 0/0

ip address

zone-member security zone_C

no shut

interface FastEthernet 0/1

ip address

zone-member security zone_B

no shut

ip access-list extended acl_gre

permit gre any any

class-map type inspect cm_gre

match access-group name acl_gre

class-map type inspect match-any cm_all

match protocol icmp

match protocol udp

match protocol tcp

policy-map type inspect pm_gre

class cm_gre


policy-map type inspect pm_all

class cm_all


zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_all

zone-pair security zp_B_to_C source zone_B destination zone_C

service-policy type inspect pm_gre

Router 2 (PPTP client):

hostname r2

no ip domain-lookup

interface FastEthernet 0/0

  ip address

  no shut

vpdn enable

vpdn-group vpnout


  protocol pptp

  rotary-group 0

initiate-to ip

interface Dialer0

mtu 1450

ip address negotiated

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string 123

dialer vpdn

dialer-group 1

ppp pfc local request

ppp pfc remote apply

ppp encrypt mppe auto

ppp chap hostname user@TEST

ppp chap password 0 testpassword

dialer-list 1 protocol ip permit

Router 3 (Random machine in the zone_B to test ping):

hostname r3

no ip domain-lookup

interface FastEthernet 0/0

ip address

no shut

ip route

So ... why the hell do I need this B_to_C zone pair for it to work ????


ZBF - Return traffic categorized in wrong zone pair !


As simple as the ZBFW will see that the connection is being innitiated from a host on zone B eventough he looks like a host from the A zone.


Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura
New Member

ZBF - Return traffic categorized in wrong zone pair !

But why would ZBF see that ?

I'm trying to ping a host in zone B ( = R3) from the PPTP client (R2) which has its Virtual Access in zone A.

(I'm typing 'ping' on a shell on R2)

When I do a "show policy-firewall sessions", I can see that the session is created under the right zone-pair ( A_to_B ).

And the forward packet (echo request from A to B) passes without problem. But the return packet (icmp reply from B to A), is actually somehow put into the B to C zone-pair as a GRE packet, which doesn't make sense to me since:

1) 'C' is the zone of neither the source or destination of that packet

2) The 'GRE' packet encapsulating the response is generated in the router itself and not coming from B and so should be classed as a "self to C" zone-pair packet.