IOS pptp inspection

falain · ‎01-29-2007

Hello all,

When moving outbound pptp rules from Pix to 2821 ISR IOS 12.4.

Config is as follows:

ip inspect myfw pptp

int g0/0

ip access-group Acl_Inside in

ip inspect Cbac_Dmz out

ip nat inside

interface Vlan1

description ** Outside **

ip address x.x.x.x 255.255.255.240

ip access-group Acl_Outside in

ip verify unicast reverse-path

ip inspect myfw out

ip nat outside

ip virtual-reassembly

ip nat inside source list Acl_Nat_Outside interface Vlan1 overload

ip access-list extended Acl_Nat_Outside

permit ip any any

ip access-list extended Acl_Inside

permit tcp host <inside IP> host <outside pptp server ip> eq 1723

permit gre host <inside IP> host <outside pptp server ip>

ip access-list extended Acl_Outside

....

If I don't have this in Acl_Outside

permit gre host <outside pptp server ip> host <router outside ip>

returning gre session from outside pptp server can't be established.

On pix, it is not necessary, gre returning session is automatically created.

Furthermore, pptp keyword is not recognized, I must give 1723 instead.

Is it another bug ?

5220 · ‎01-30-2007

Hi,

On PIX the pptp is managed by the "fixup", as the PIX understands the pptp protocol.

How pptp works: you send TCP 1723, return traffic is GRE (IP port 47)

On IOS, you probably need to open the return traffic (GRE):

access-list outbound permit tcp <> <> eq 1723

access-list inbound permit gre <> <>

Please rate if this helped.

Regards,

Daniel

falain · ‎01-30-2007

thanks for reply,

I agree with your answer because I solved the problem like this on C2821.

Then, what is the purpose of 'ip inspect fw pptp' ?

I thought it was equivalent to Pix fixup pptp or Asa inspect pptp.

Furthermore, opening an inbound permanent gre door is a security hole.

Is it possible to create a reflexive gre ACL ?

Does new Zone based Policy FW in 12.4(6)T holds Pptp return traffic ?

Regards,

Alain