Hi there,
I'm trying to configure a PPTP tunnel for remote users to access inside network resources, before enabling the firewall (ZBPF) all worked perfectly, tunnel comes up and worked perfectly.
Once I've tried to define zone-pair/policy-maps the VPN connection never came up again. Here is my firewall configuration:
class-map type inspect match-all PPTP-Pass-Through-Traffic
match access-group name PPTP-PASS-THROUGH
class-map type inspect match-any All-Traffic
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all Router-Access-Traffic
match access-group name Router-Access
class-map type inspect match-all PPTP-Terminated-Traffic
match access-group name PPTP-TERMINATED
!
!
policy-map type inspect PPTP-In-Policy
class type inspect All-Traffic
inspect
class class-default
drop log
policy-map type inspect Out-In-Policy
class type inspect PPTP-Pass-Through-Traffic
pass
class class-default
drop
policy-map type inspect In-Out-Policy
class type inspect All-Traffic
inspect
class class-default
drop log
policy-map type inspect Out-Self-Policy
class type inspect Router-Access-Traffic
pass
class type inspect PPTP-Terminated-Traffic
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security pptp
zone-pair security outside-self source outside destination self
service-policy type inspect Out-Self-Policy
zone-pair security pptp-in source pptp destination inside
service-policy type inspect PPTP-In-Policy
zone-pair security inside-outside source inside destination outside
service-policy type inspect In-Out-Policy
!
ip access-list extended PPTP-PASS-THROUGH
permit gre any any
ip access-list extended PPTP-TERMINATED
permit gre any any
permit tcp any any eq 1723
ip access-list extended Router-Access
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq 443
!
pptp zone is associated with the Virtual-Template used for the pptp connections.
Here is the error log message:
Jul 13 17:46:47: %FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 Y.Y.Y.Y.14:0 on zone-pair outside-self class class-default due to DROP action found in policy-map with ip ident 0
where XXXX is the remote IP (for the user who's trying to connect)
and YYYY is the router IP address.
Router version:
Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
The remote client (windows software) give the following error after a while (freeze on authenticating user and password):
Error 734: The PPP link control protocol was terminated
I've no idea how to solve this... I've followed exactly this tutorial from Cisco: https://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml
Thanks for your help!
Sergio