You
will need to define a rule that allows services PPTP-TCP and GRE (Generic
Routing Protocol) inbound and outbound between ANY and your VPN server.
The PPTP-TCP definition allows port 1723 on any port by default, although you
can specify a range if desired. The GRE definition allows IP protocol
47. Unless you explicitly deny them, no port should be blocked if you set
it up this way.
Michael R. Cook, CCSA/CCSE Network Analyst Information Systems Norton Healthcare [email protected]
Put tcp-high-ports service into the
rule, the PPTP server is trying to use a port higher than 1024 and the
firewall is rejecting it because you don't have the high ports
enabled allowing for the server to talk back to the client via high
ports.
Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail: [email protected]
----- Original Message -----
Sent: Monday, March 05, 2001 3:24
PM
Subject: [FW1] FW-1 and Microsoft
VPN
Hopefully someone out there can give me
some ideas.
We have a Microsoft VPN server setup in our
DMZ off a Checkpoint FW-1 Solaris box.
I'm sorry for that! Hopefuly, you might be healthy...
:)
Access to the VPN has been allowed for
clients to access the VPN using PPTP services. When this is tested we can watch the log viewer and see the client
getting through the firewall using PPTP
and a service labeled 34827. Then when the VPN server attempts
to send packets back to the client it
uses the service labeled 34827 but the firewall is dropping
these packets. When testing it we opened
up the rule for any service to be accepted but they are still being dropped. The service 34827 uses a
protocol simply labeled as 47.
Is there anyone out there who may have a
similar setup and experienced similar problems that might be able to help shed some light on this?
Thankx, Kurt Shaffer
Try http://www.phoneboy.com/fw1/faq/0321.html
Best wishes
ayltonsz
|