Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GRE through PIX failing

Status
Not open for further replies.
CMASPE

CMASPE

IS-IT--Management
Sep 25, 2001
102
US
I opened the necessary port 1723 and gre on my pix(515) access-list. I can see the traffic coming in but when I debug I receive this error (protocol gre received from interface "outside" deny by access-group "outside") I have the statement to allow any gre traffice to my server on the inside but yet keep receiving these errors. Am I missing something? I can connect internal so I know the server and client are working correct..it's just when I switch the client to dial-up it fails. Any help greatly appreciated.
CA If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
 
Sort by date Sort by votes
Hey Yizhar...to the rescue again... =)
Cisco 515 IOS 5.2
access-list oustide permit gre any host xx.xx.xx.2
access-list outside permit tcp any host xx.xx.xx.2 eq 1723
When I show ac list I see hits on the tcp 1723 command but none on the gre....
Like I said before when I debug I receive the error in my first post. Any ideas? I have looked over documentation time and time again before I submitted the ?? here and am at a loss
CA If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
 
Upvote 0 Downvote
also failed to mention I am not using NAT so this is a routable IP. Nothing in the previous AC list deny's any kind of traffic..only difference is this server is on my "inside" interface
CA If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
 
Upvote 0 Downvote
PIX Version 5.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
enable password KD5yTHD9ywYo32ZI encrypted
passwd b6ZsBGZIV.tPUUgC encrypted
hostname xxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol smtp 25
no names
access-list outside permit udp any host xx.xx.44.2 eq 1723
access-list outside permit tcp any host xx.xx.44.2 eq 1723
access-list oustide permit tcp any eq 1723 host xx.xx.44.2
access-list oustide permit gre any host xx.xx.44.2
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
logging host inside xx.xx.xx.18
logging host inside xx.xx.44.2
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside xx.xx.xx.78 255.255.255.252
ip address inside xx.xx.44.1 255.255.255.224
ip address dmz1 xx.xx.xx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit info action alarm
nat (inside) 0 xx.xx.44.0 255.255.255.224 0 0
static (inside,outside) xx.xx.44.0 xx.xx.44.0 netmask 255.255.255.224 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside xx.xx.xx.18 /tftp
no floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet xx.xx.xx.18 255.255.255.255 inside
telnet xx.xx.xx.18 255.255.255.255 dmz1
telnet xx.xx.xx.4 255.255.255.255 dmz1
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:dfd38a7c18cfb1fd869de7dbc19ea012
: end If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
 
Upvote 0 Downvote
Silly question...but did you apply the access-list to the outside interface?

I don't see the command in your config:

access-group outside in interface outside
 
Upvote 0 Downvote
There is a typo (outside and oustide) in your access-list, maybe to do with those beers??


access-list outside permit udp any host xx.xx.44.2 eq 1723
access-list outside permit tcp any host xx.xx.44.2 eq 1723
access-list oustide permit tcp any eq 1723 host xx.xx.44.2
access-list oustide permit gre any host xx.xx.44.2

Also, I think you may need to alter the line
access-list oustide permit tcp any eq 1723 host xx.xx.44.2
to
access-list outside permit tcp any host xx.xx.44.2 eq 1723

but check the typo and apply the list to the interface first.
 
Upvote 0 Downvote
oh man...hahah thanks for the proof reading...lack of sleep and ignorance added to me missing the transposing of the s and t. Thanks all for the comments and help..everything is A OK.
CA If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
84
iggsterman
iggsterman
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
92
Russtoleum
Russtoleum
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
138
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top