Re: zone security - part 2 from Paul Cocker on 2011-02-14 (Ccielab archives 02/2011)

From: Paul Cocker <paul.cocker_at_gmx.com>
Date: Mon, 14 Feb 2011 13:41:28 +0000

ah! thanks Tyson, weird that the context sensitive help encourages
impossible configs. i guess its reminder for me to re-read the doc cd etc

much appreciated.
Paul

On 14/02/2011 13:38, Tyson Scott wrote:
> ZBF Only supports TCP/UDP/ICMP protocols for inspection. You must use the
> pass option for all other IP based protocols.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Radioactive Frog
> Sent: Monday, February 14, 2011 3:45 AM
> To: Paul Cocker
> Cc: ccielab_at_groupstudy.com
> Subject: Re: zone security - part 2
>
>>>>> Apparently the only thing that works is passing (ie not inspecting) gre
> traffic in both directions (and also having a pass or inspect rule for the
> 1723tcp traffic).
>
> That is normal, not sure what is your issue.
> GRE+1723 port needs to be open for PPTP.
>
>
> On Mon, Feb 14, 2011 at 8:20 AM, Paul Cocker<paul.cocker_at_gmx.com> wrote:
>
>> Hi,
>>
>> Just trying to understand why the following happens.
>>
>> Trying to get a PPTP windows client to vpn through a zone based firewall.
>>
>> have an inspect for all traffic from that host, that doesn't work.
>>
>> Tried the inspect pptp option, that doens't work.
>>
>> Apparently the only thing that works is passing (ie not inspecting) gre
>> traffic in both directions (and also having a pass or inspect rule for the
>> 1723tcp traffic).
>>
>> Any ideas? Or just a bad implementation by cisco of their inspect pptp
> and
>> inspect gre on the ZBF?
>>
>> Paul
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 14 2011 - 13:41:28 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART