Re: zone security - part 2 from Radioactive Frog on 2011-02-15 (Ccielab archives 02/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Tue, 15 Feb 2011 14:24:03 +1100

Ah.. I see your point here...

On Tue, Feb 15, 2011 at 12:41 AM, Paul Cocker <paul.cocker_at_gmx.com> wrote:

> ah! thanks Tyson, weird that the context sensitive help encourages
> impossible configs. i guess its reminder for me to re-read the doc cd etc
>
> much appreciated.
> Paul
>
>
> On 14/02/2011 13:38, Tyson Scott wrote:
>
>> ZBF Only supports TCP/UDP/ICMP protocols for inspection. You must use the
>> pass option for all other IP based protocols.
>>
>> Regards,
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Radioactive Frog
>> Sent: Monday, February 14, 2011 3:45 AM
>> To: Paul Cocker
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: zone security - part 2
>>
>> Apparently the only thing that works is passing (ie not inspecting) gre
>>>>>>
>>>>> traffic in both directions (and also having a pass or inspect rule for
>> the
>> 1723tcp traffic).
>>
>> That is normal, not sure what is your issue.
>> GRE+1723 port needs to be open for PPTP.
>>
>>
>> On Mon, Feb 14, 2011 at 8:20 AM, Paul Cocker<paul.cocker_at_gmx.com> wrote:
>>
>> Hi,
>>>
>>> Just trying to understand why the following happens.
>>>
>>> Trying to get a PPTP windows client to vpn through a zone based firewall.
>>>
>>> have an inspect for all traffic from that host, that doesn't work.
>>>
>>> Tried the inspect pptp option, that doens't work.
>>>
>>> Apparently the only thing that works is passing (ie not inspecting) gre
>>> traffic in both directions (and also having a pass or inspect rule for
>>> the
>>> 1723tcp traffic).
>>>
>>> Any ideas? Or just a bad implementation by cisco of their inspect pptp
>>>
>> and
>>
>>> inspect gre on the ZBF?
>>>
>>> Paul
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 15 2011 - 14:24:03 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART