First you need to put in a deny statement for GRE traffic in an ACL.
Deny? Wait a second, don't we want traffic to pass?
Well of course we do! But if you remember in a Zone-Based firewall your outbound ACL is used in a class-map to inspect traffic; dynamically allowing bi-directional sessions. The reason we want to deny it is you can't inspect GRE traffic; it just doesn't work.
(config)#ip access-list extended ACL_PERMIT_GRE
(config-ext-nacl)#deny gre any any
Okay so we're not inspecting traffic, but we still need to pass it. To do this we have make a class-map to nest under out outbound and inbound policy-maps.
Now we'll create our class-map which matches GRE traffic, referencing the ACL we just made:
(config)#class-map type inspect match-all CMAP_PASS_GRE
(config-cmap)#match access-group name ACL_PERMIT_GRE
Then we want to apply this to our policy maps and define the action as pass.
The policy maps I'm applying these to also contain class-maps for generic traffic.
(config)#policy-map type inspect PMAP_UNTRUST_TO_TRUST
(config-pmap)#class type inspect CMAP_PASS_GRE
(config-pmap-c)#pass
(config)#policy-map type inspect PMAP_TRUST_TO_UNTRUST
(config-pmap)#class type inspect CMAP_PASS_GRE
(config-pmap-c)#pass
And that's about it, your GRE should be good to go. This will work for PPTP pass-through on a Cisco IOS running in ZBF and the same principal should apply for an ASA.
No comments:
Post a Comment