For clients on the inside are unable to use their PPTP Windows VPN to connect to a server outside the firewall.
Understanding of PPTP to read through RFC 2637, but a quick summary of PPTP here.
- PPTP utilizes TCP port 1723 for establishment, authentication, and maintenance
- uses GRE, IP protocol 47 to pass data
By default, ZBF's keyword "match protocol pptp" does not handle the GRE traffic, only the TCP 1723 traffic.
Step 1: Define new class-map that matches all GRE, note that you need to use an ACL for this that is referenced in the class-map:
ip access-list extended GRE
remark Access List to allow PPTP GRE outbound
permit gre any any
class-map type inspect match-any CM_GRE_PROTOCOLS
match access-group name GRE
Step 2: Configure a policy map which specifies the action for the class map:
policy-map type inspect PM_INSIDE_TO_OUTSIDE
class type inspect CM_GRE_PROTOCOLS
pass
class type inspect CM_INTERNET_TRAFFIC
inspect
class class-default
drop
policy-map type inspect PM_OUTSIDE_TO_INSIDE
class type inspect CM_GRE_PROTOCOLS
pass
class class-default
drop
Step 3: Configure the zone pair and apply your policy:
zone-pair security ZONEP_INSIDE_OUTSIDE source ZONE_INSIDE destination ZONE_OUTSIDE
service-policy type inspect PM_INSIDE_TO_OUTSIDE
zone-pair security ZONEP_OUTSIDE_INSIDE source ZONE_OUTSIDE destination ZONE_INSIDE
service-policy type inspect PM_OUTSIDE_TO_INSIDE
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment