Introduction
This document describes a problem found with the Zone-Based Firewall (ZBF), from where the ZBF does not properly inspect the Point-to-Point Tunneling Protocol (PPTP) with Generic Routing Encapsulation(GRE) .
Prerequisites
Requirements
Cisco recommends that you have knowledge of Cisco ZBF configuration in IOS routers.
Components Used
The information in this document is based on these software and hardware versions:
- Integrated Services Routers (ISR G1)
- IOS 15M&T
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The PPTP is an implementation method of virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel that operates to encapsulate PPP packets.
A PPTP tunnel is initiated to the peer on the TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer.
The GRE tunnel is used to carry encapsulated PPP packets, which allows the tunnel of any protocol that can be carried within PPP. IF, NetBEUI and IPX are included.
Problem: Troubleshoot IOS Zone Based Policy Firewall Inspection Issues for the PPTP protocol with GRE
It is confirmed the ZBF does not inspect the PPTP with GRE traffic and this is because it does not open the pin-holes required to allow the return traffic to pass through, here an example of a typical ZBF configuration for the inspection of the PPTP protocol with GRE traffic:
ip access-list extended 160
permit gre any any
class-map type inspect match-all PPTP-GRE
match access-group 160
policy-map type inspect WAN-LAN-pmap
class class-default
drop
policy-map type inspect LAN-WAN-pmap
class type inspect PPTP-GRE
inspect
class class-default
drop
zone security LAN
zone security WAN
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-pmap
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-pmap
Note: Take into consideration that in the configuration example the PPTP connection is initiated from the LAN to the WAN zone.
Note: Even though the TCP connection of the PPTP is shown as established in the show policy-firewall sessions output of the ZBF, the PPTP connection does not work through the router.
Solution
In order to allow the PPTP VPN connections with GRE through the ZBF, you need to change the inspect action of the ZBF rules for a pass action in both directions of the traffic flow in the zone-pairs involved, just as follows:
ip access-list extended 160
permit gre any any
class-map type inspect match-all PPTP-GRE
match access-group 160
policy-map type inspect WAN-LAN-pmap
class type inspect PPTP-GRE
pass
class class-default
drop
policy-map type inspect LAN-WAN-pmap
class type inspect PPTP-GRE
pass
class class-default
drop
zone security LAN
zone security WAN
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-pmap
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-pmap
After you apply this ZBF configuration change, the PPTP VPN connection with GRE will work fine through the ZBF.
Related Information
To allow GRE and Encapsulating Security Payload (ESP) protocol traffic through a zone-based policy firewall, use the pass action. The GRE and the ESP protocols do not support stateful inspection and if you use the inspect action on the ZBF, the traffic for these protocols is dropped.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
Related Bug
CSCtn52424 ZBF ENH: Implement inspection of PPTP with dynamic GRE pass-through