I'll also note that PPTP first uses a TCP connection on port 1723 and then the GRE encapsulation. The "ip inspect name <name> pptp" might focus primarily on the TCP session.
Main Topics
Browse All TopicsHi,
Im having problems configuring CBAC on a Cisco 871 router - 12.4(22)T. Im getting traffic in and out of the box but certain protocols dont seem to work, specifically PPTP and ICMP. Below are the pertinent parts of my config:
ip inspect name Global_IE tcp
ip inspect name Global_IE udp
ip inspect name Global_IE icmp
ip inspect name Global_IE pptp
!
interface Vlan10
ip address 172.16.0.1 255.255.255.252
ip access-group Vestibule_Outbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
switchport access vlan 10
duplex full
speed 100
!
interface FastEthernet4
ip address dhcp
ip access-group Inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips Global_IPS in
ip ips Global_IPS out
ip inspect Global_IE out
ip virtual-reassembly
duplex auto
speed auto
!
ip access-list extended Vestibule_Outbound
permit ip any any
deny ip any any log
!
ip access-list extended Inbound
remark Permit DHCP
permit udp any eq bootps any eq bootpc
deny ip any any log
!
My understanding of the above configuration is that:
1. PPTP traffic is allowed by the Vestibule_Outbound ACL inbound to VLAN 10
2. The traffic leaves the fa4 interface since no Outbound ACL is applied.
3. CBAC opens a temporary ACE at the top of the Inbound ACL to allow the return traffic (GRE)
If I let SDM do the configuration I end up with an ACE of permit tcp any any eq gre on the Inbound ACL. The same for ICMP & NTP. Although this works doesnt this simply open up a hole in the network? Isnt CBAC supposed to allow return traffic dynamically rather than having a specific ACE? Im having the same problem with ICMP too.
Can anyone explain the processing rules that CBAC uses? Ive read conflicting statements that CBAC:
1. First checks the traffic against an ACL then inspects it, if configured to, and finally amends the corresponding ACL to allow the return traffic.
2. Inspects the traffic first then amends the corresponding ACL to allow the return traffic.
Im confused. What is the correct way to accomplish this?
Thanks.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Generally, I've used the defaults unless I had a particular reason to adjust them. (For example, some clients have applications that they leave open but inactive, and the idle timeout will cause them to have to reconnect; in those cases I've increased the idle timeout. In another case, they were getting flooded by SYN packets; I reduced the half-open timeout as well as using the half-open connection limits.)
Business Accounts
Answer for Membership
by: asavenerPosted on 2009-07-01 at 22:11:55ID: 24760587
That's the way it is supposed to work, but CBAC has problems with connectionless protocols like UDP, and GRE (in my experience).
Allowing GRE in is not much of a security risk, because by definition, it is an encapsulation protocol. Something on the inside of your network has to decapsulate it.
I would use the GRE keyword, though: permit gre any any
Similarly, I've had to add ACL entries similar to:
deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any echo
permit icmp any any
(Alternately, you can add permit statements for echo-reply, time exceeded, administratively prohibited, etc.)