[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] PPTP through Check Point FW-1 using static NAT
I am having trouble in getting PPTP to work through a Check Point firewall (Ver 4.1 SP2) using static NAT. I have set the firewall up according to the instructions laid out on the Phoneboy site ==> **************************************************************************** ******************************************8 You must add a rule permitting access between your PPTP clients and server. PPTP uses two services: * TCP port 1723 for a control session * A variation of the GRE protocol (IP Protocol 47) for data. To create this last service, create the service as a service of type Other. For the name, use PPTP-Data. In the match field, put: ip_p = 47, [22:2,b] = 0x880B (Note: ip_p = 47 identifies the IP protocol type as GRE. [22:2,b] = 0x880B identifies the payload protocol as GRE.) The rules look like this: Source Destination Service Action PPTP-Clients PPTP-Server PPTP-Control PPTP-Data Accept PPTP-Server PPTP-Clients PPTP-Control PPTP-Data Accept PPTP will work with Static NAT, but not HIDE NAT. **************************************************************************** *************************************** The Problem: Basically the PPTP session gets set up okay and the user is prompted for a username and password. Upon sending this info the session times out after about 30 secs and yields some generic failure message (can't recall exactly what at the moment). The NT event log on the PPTP server (NT 4.0 SP5) shows the following error: Event ID: 20777. An error occurred in the point to point protocol module on VPNx. The PPP negotiation is not converging. If the PPTP server is moved outside the firewall (in parallel with the firewall), everything works just fine. I have done sniffer traces with the PPTP server in both locations to get a comparison. The data shows that the session gets administratively reset by the PPTP server with no errors. Does anyone have any idea on what might be wrong or what I might try? Any help would be much appreciated. Thanks ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|