if I permit tcp1723 AND
if I inspect GRE
it does not work.
OR
if I permit tcp1723 AND
I inspect PPTP
it does not work.
OR
if I permit tcp1723 AND
I pass GRE
it works!
I don't see why the 1st 2 options shouldn't work.
On 14/02/2011 08:44, Radioactive Frog wrote:
>
> >>>>Apparently the only thing that works is passing (ie not
> inspecting) gre traffic in both directions (and also having a pass or
> inspect rule for the 1723tcp traffic).
>
> That is normal, not sure what is your issue.
> GRE+1723 port needs to be open for PPTP.
>
>
> On Mon, Feb 14, 2011 at 8:20 AM, Paul Cocker <paul.cocker_at_gmx.com
> <mailto:paul.cocker_at_gmx.com>> wrote:
>
> Hi,
>
> Just trying to understand why the following happens.
>
> Trying to get a PPTP windows client to vpn through a zone based
> firewall.
>
> have an inspect for all traffic from that host, that doesn't work.
>
> Tried the inspect pptp option, that doens't work.
>
> Apparently the only thing that works is passing (ie not
> inspecting) gre traffic in both directions (and also having a
> pass or inspect rule for the 1723tcp traffic).
>
> Any ideas? Or just a bad implementation by cisco of their inspect
> pptp and inspect gre on the ZBF?
>
> Paul
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 14 2011 - 12:07:31 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART