Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 and PPTP

To: "'Johnny Trujillo'" <[email protected]>, <[email protected]>
Subject: RE: [FW1] FW-1 and PPTP
From: "Byoung Sun Yu" <[email protected]>
Date: Tue, 9 Jan 2001 15:44:04 -0600
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: <[email protected]>
Sender: [email protected]

Without NAT, there should be no problem passing PPTP through FW-1 as far as
those required services are allowed in the rule. Assuming you have
configured that, there is one catch when PPTP server is NATted. If you call
CP Support, they will say it's not supported configuration. However, here is
what you can do even though it is very weird.

On FW, create an object for NAT address of PPTP server. However, you still
can use original object of the server to configure automatic NAT rule.
Add a rule allowing;
NAT PPTP server / Any or remote network of your choice / GRE / Accept

Now you wonder how come you need a rule allowing a connection from NAT
address. That's the weird part of this solution. If you sniff on the packet
or FW log, you will find that source IP address of PPTP response from the
server is strangely NAT address. As far as this packet is allowed, PPTP
connection just works.

Disclaimer: If MS realized that this thing is truly weird and shows lack of
security implementation on their VPN technology and came up with some fix,
this might not work any more.

Hope this help,

Sun Yu, CISSP
Worldwide Services
Lucent Technologies




> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> Johnny Trujillo
> Sent: Tuesday, January 09, 2001 3:03 PM
> To: [email protected]
> Subject: [FW1] FW-1 and PPTP
>
>
>
> Has anyone there have experience of running MS VPN
> PPTP through FW-1, we have the need to save and print
> to a remote site in a secure way using Terminal Server
> from our site servers to the user's site workstations
> behind a CKP FW-1. They are using NAT and their FW
> blocks their packets to come to us. without the VPN
> they can ping and traceroute to us, with PPTP enable,
> their FW blacks all packets to us. Any solutions,
> sugestions?
>
> Thank you in advance
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Photos - Share your holiday photos online!
> http://photos.yahoo.com/
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [FW1] ICMP Stateful or NOT ?
  - From: [email protected] (Carl E. Mankinen)

References:
- [FW1] FW-1 and PPTP
  - From: Johnny Trujillo <[email protected]>

Prev by Date: RE: [FW1] Upgrading CheckPoint 4.0 to Checkpoint 2000
Next by Date: [FW1] Home/Office NAT range conflicts
Previous by thread: [FW1] FW-1 and PPTP
Next by thread: [FW1] ICMP Stateful or NOT ?
Index(es):
- Date
- Thread