After cleaning up traffic filtering rules on a Cisco 2851 router it turned out that the MultiCash banking program stopped working on hosts in the internal network.
The specific version of that program that I came across was using the PPTP protocol and GRE tunnels for establishing secure connections. Therefore I had to:
- Add an entry permitting GRE traffic to the ACL applied to the router’s WAN interface:
permit gre any host A.B.C.D
- Add the PPTP protocol to the list of protocols inspected by SPI in the out direction on the router’s WAN interface:
ip inspect name to-internet-ins pptp