I'm trying to configure a PPTP tunnel for remote users to access inside network resources, before enabling the firewall (ZBPF) all worked perfectly, tunnel comes up and worked perfectly.
Once I've tried to define zone-pair/policy-maps the VPN connection never came up again. Here is my firewall configuration:
class-map type inspect match-all PPTP-Pass-Through-Traffic match access-group name PPTP-PASS-THROUGH class-map type inspect match-any All-Traffic match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all Router-Access-Traffic match access-group name Router-Access class-map type inspect match-all PPTP-Terminated-Traffic match access-group name PPTP-TERMINATED ! ! policy-map type inspect PPTP-In-Policy class type inspect All-Traffic inspect class class-default drop log policy-map type inspect Out-In-Policy class type inspect PPTP-Pass-Through-Traffic pass class class-default drop policy-map type inspect In-Out-Policy class type inspect All-Traffic inspect class class-default drop log policy-map type inspect Out-Self-Policy class type inspect Router-Access-Traffic pass class type inspect PPTP-Terminated-Traffic inspect class class-default drop log ! zone security outside zone security inside zone security pptp zone-pair security outside-self source outside destination self service-policy type inspect Out-Self-Policy zone-pair security pptp-in source pptp destination inside service-policy type inspect PPTP-In-Policy zone-pair security inside-outside source inside destination outside service-policy type inspect In-Out-Policy !
ip access-list extended PPTP-PASS-THROUGH permit gre any any ip access-list extended PPTP-TERMINATED permit gre any any permit tcp any any eq 1723 ip access-list extended Router-Access permit tcp any any eq telnet permit tcp any any eq 22 permit tcp any any eq 443 !
pptp zone is associated with the Virtual-Template used for the pptp connections.
Here is the error log message:
Jul 13 17:46:47: %FW-6-DROP_PKT: Dropping Unknown-l4 session X.X.X.X:0 Y.Y.Y.Y.14:0 on zone-pair outside-self class class-default due to DROP action found in policy-map with ip ident 0
where XXXX is the remote IP (for the user who's trying to connect)
and YYYY is the router IP address.
Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
The remote client (windows software) give the following error after a while (freeze on authenticating user and password):
Error 734: The PPP link control protocol was terminated
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...