[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] RE: PPTP thru FW1

To: "Naresh Narang" <[email protected]>, <[email protected]>, <[email protected]>
Subject: Re: [FW1] RE: PPTP thru FW1
From: "Carl E. Mankinen" <[email protected]>
Date: Thu, 3 May 2001 15:54:23 -0400
References: <[email protected]>
Sender: [email protected]

okay, I will explain this again. I know what your problem is.

In the "Security Policy Tab", you should have two rules like this:
(src,dest,svc,action,log)
net-pptp-allowed, pptp-server, gre/pptp-tcp, accept, long
pptp-server, net-pptp-allowed, gre/pptp-tcp, accept, long

net-pptp-allowed should be a group object containing all the remote subnets you wish to allow PPTP from.
You could use ANY if you like, but I choose to lock things down tightly.

pptp-server is a group object containing for instance:
pptp-server-outside (non RFC1918 "routeable" address exposed to the internet)
pptp-server-inside (RFC1918 address of the real server)

Then you need your "Address Translation Tab" configured this way:
(src,dest,svc,xlate-src,xlate-dest,xlate-svc)
net-pptp-allowed, pptp-server-outside, "ANY", original, pptp-server-inside (static nat), "original"
pptp-server-inside, net-pptp-allowed, "ANY", pptp-server-outside (static nat), original, "original"

This statically nat's the internal server to a non-RFC1918 address that the remote user can connect to.

With "emphasis" to indicate that you cannot change the SERVICE type in a NAT rule except for a very limited number of services that
Firewall-1 understands. Firewall-1 does not understand the contents of a protocol-47 packet and so it is unable to change a service
port and this is the error you are seeing when you try to set the service type in the NAT tab. You must use ANY to tell it to modify
only source/dest addresses in your rule. It sounds like you are thinking the "service" column in the NAT tab must match what you
have in the Security Policy tab....if this is the case, you have some cleanup to do. In most cases, service will always be "any" on
the NAT tab. This is NOT a security concern.

Others have stated that HIDE NAT works for PPTP on Firewall-1 4.1. Depends on which side of the conversation you are talking about.
Do you mean you can put your PPTP "Server" behind HIDE NAT? The answer is NO it won't work, only static for the server will work.

----- Original Message -----
From: "Naresh Narang" <[email protected]>
To: <[email protected]>; <[email protected]>; <[email protected]>
Sent: Wednesday, May 02, 2001 3:46 AM
Subject: Re: [FW1] RE: PPTP thru FW1


>
> I am sorry for sounding so foolish. I have set up static and Hide NATs
> already. Actually I meant whenever I try to add a service with gre protocol
> in the NAT rule (whether in a package or alone) Mgmt. console says this
> service is not allowed for NAT.
>
> Thanks
> Naresh
>
>
> >From: Michael Tench <[email protected]>
> >To: Naresh Narang <[email protected]>, [email protected],
> >[email protected]
> >Subject: Re: [FW1] RE: PPTP thru FW1
> >Date: Tue, 1 May 2001 12:35:30 -0700 (PDT)
> >
> >To perform a manual static nat:
> >
> >Use the policy editor:
> >1) Create object "foo"
> >2) Create an object called "foo-external"
> >3) Click on the tab labeled "address translation"
> >4) Add a rule in the address translation policy original packet section
> >with
> >a source of object foo to destination of any. In the translation section
> >enter a source of foo-external and destination of any.
> >5) Add another rule in the address translation policy original packet
> >section with a source of object any and a destination of object
> >foo-external.  In the translation section enter a source of any and a
> >destination of foo.
> >6) On the firewall create a route from foo external to foo. (In other
> >words,
> >Unix...route add 192.168.16.5 10.2.1.3 1
> >
> >You can also do this automatically, but I foind that it is easier to do
> >this
> >manually if you operate a number of firewalls.
> >
> >Michael Tench
> >
> >
> >On Tue, 01 May 2001 05:44:35 , Naresh Narang wrote:
> >
> > >
> > >  But how does one perform static or any NAT. Mgmt console does not let
> >me
> >do
> > >  it.
> > >
> > >  Naresh
> > >
> > >
> > >  >From: "Carl E. Mankinen" <[email protected]>
> > >  >To: "Naresh Narang" <[email protected]>,
> > >  ><[email protected]>
> > >  >Subject: RE:
> > >  >Date: Sun, 29 Apr 2001 22:25:17 -0400
> > >  >
> > >  >Static NAT, yes PPTP works.
> > >  >Hide NAT, no PPTP doesnt.
> > >  >
> > >  >-----Original Message-----
> > >  >From: [email protected]
> > >  >[mailto:[email protected]]On Behalf
> >Of
> > >  >Naresh Narang
> > >  >Sent: Saturday, April 28, 2001 5:39 AM
> > >  >To: [email protected]
> > >  >Subject:
> > >  >
> > >  >
> > >  >
> > >  >Hi,
> > >  >
> > >  >I am new to this list as well as FW1. I was trying to setup a PDS 2100
> >box
> > >  >running checkpoint smalloffice. It has vpn1 and fw1 ver 4.1 I have
> >some
> > >  >issues and it will be great if someone could clarify.
> > >  >
> > >  >1. Does FW1 allow NATing of protocol 47? I came across several posts
> >as
> > >  >well
> > >  >as on Phoneboy site it is mentioned that it does but it did not let me
> >do
> > >  >that from Management console. Without this PPTPD won't work behind
> >fw1.
> > >  >
> > >  >2. Is it possible for SecuRemote to work from a NATed environment. FW1
> > >  >address is real though.
> > >  >
> > >  >Thanks,
> > >  >Naresh
> > >  >_________________________________________________________________
> > >  >Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >  >
> > >  >
> > >  >
> > >
> > >============================================================================
> > >  >====
> > >  >      To unsubscribe from this mailing list, please see the
> >instructions
> >at
> > >  >                http://www.checkpoint.com/services/mailing.html
> > >
> > >============================================================================
> > >  >====
> > >  >
> > >  >
> > >
> > >  _________________________________________________________________
> > >  Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >
> > >
> > >
> > >
> >================================================================================
> > >       To unsubscribe from this mailing list, please see the instructions
> >at
> > >                 http://www.checkpoint.com/services/mailing.html
> > >
> >================================================================================
> > >
> >
> >
> >Michael Tench
> >
> >
> >
> >
> >
> >_______________________________________________________
> >Send a cool gift with your E-Card
> >http://www.bluemountain.com/giftcenter/
> >
> >
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
References:
- Re: [FW1] RE: PPTP thru FW1
  - From: "Naresh Narang" <[email protected]>
Prev by Date: Re: [FW1] RE:
Next by Date: [FW1] 4.1 SP1 version of the GUI client
Prev by thread: RE: [FW1] RE: PPTP thru FW1
Next by thread: Re: [FW1] RE: PPTP thru FW1
Index(es):
- Date
- Thread