Need help with allowing PPTP VPN connection with Zone Based Firewall

frallan123 · March 13, 2025, 2:59am

Hey! using a windows server 2012 with 2 NIC, one for VPN clients to connect to, everything works fine when ZBF is not active on the router, Using Cisco 2811 btw. I’ve set up the zone pairs and everything correct I belive but I cant seem to get the VPN connection through.

Here the ZBF config

class-map type inspect match-any OUT-TO-DMZ
 match protocol http
 match protocol https
 match protocol pop3
 match protocol imap
 match protocol smtp
class-map type inspect match-all PPTP-Pass
 match access-group name PPTP-Pass
class-map type inspect match-any IN-TO-DMZ
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all IN-TO-OUT
 match protocol pptp
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol dns
!
!
policy-map type inspect OUT-TO-DMZ
 class type inspect OUT-TO-DMZ
  inspect
 class class-default
  drop log
policy-map type inspect IN-TO-DMZ
 class type inspect IN-TO-DMZ
  inspect
 class class-default
  drop log
policy-map type inspect IN-TO-OUT
 class type inspect IN-TO-OUT
  inspect
 class type inspect PPTP-Pass
  pass
 class class-default
  drop log
policy-map type inspect OUT-TO-IN
 class type inspect PPTP-Pass
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN-TO-OUT
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUT-TO-DMZ
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
 service-policy type inspect IN-TO-DMZ
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-TO-IN


and accesslist for passing PPTP + GRE

ip access-list extended PPTP-Pass
 permit gre any any
 permit tcp any any gt 1023 established

Any help would great as ive tried to fix this the past week.

Anonymous · March 13, 2025, 2:59am

Are your tunnel interfaces in the correct zones?
Edit: typo

frallan123 · March 13, 2025, 2:59am

Yes, they are configured to the correct zone, the firewall is giving me that the IN-TO-OUT zone is dropping the :1723 (pptp)packet.