[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 and PPTP
Without NAT, there should be no problem passing PPTP through FW-1 as far as those required services are allowed in the rule. Assuming you have configured that, there is one catch when PPTP server is NATted. If you call CP Support, they will say it's not supported configuration. However, here is what you can do even though it is very weird. On FW, create an object for NAT address of PPTP server. However, you still can use original object of the server to configure automatic NAT rule. Add a rule allowing; NAT PPTP server / Any or remote network of your choice / GRE / Accept Now you wonder how come you need a rule allowing a connection from NAT address. That's the weird part of this solution. If you sniff on the packet or FW log, you will find that source IP address of PPTP response from the server is strangely NAT address. As far as this packet is allowed, PPTP connection just works. Disclaimer: If MS realized that this thing is truly weird and shows lack of security implementation on their VPN technology and came up with some fix, this might not work any more. Hope this help, Sun Yu, CISSP Worldwide Services Lucent Technologies > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Johnny Trujillo > Sent: Tuesday, January 09, 2001 3:03 PM > To: [email protected] > Subject: [FW1] FW-1 and PPTP > > > > Has anyone there have experience of running MS VPN > PPTP through FW-1, we have the need to save and print > to a remote site in a secure way using Terminal Server > from our site servers to the user's site workstations > behind a CKP FW-1. They are using NAT and their FW > blocks their packets to come to us. without the VPN > they can ping and traceroute to us, with PPTP enable, > their FW blacks all packets to us. Any solutions, > sugestions? > > Thank you in advance > > __________________________________________________ > Do You Yahoo!? > Yahoo! Photos - Share your holiday photos online! > http://photos.yahoo.com/ > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|