RE: [FW1] Can anyone say if PPTP and static NAT are definitely supported by V4.1????

["Byoung Sun Yu" <byu2@FW1-NOSPAMlucent.com>]

Gary,

 

As far as I know, Check Point would say 'PPTP with static NAT' is definately NOT supported configuration. Below is a way I once made it work though. But remember that you'll not be able to get technical support from Check Point with this configuration because of their official stance.

 

Along with your all configurations you have already;

Create an object with the NATed PPTP server address.

Then, allow a GRE service from above object going out.

 

Rationale behind this configuration is really weird. You'll see a GRE packet from the PPTP server has a NATed address as its source address. How this PPTP server know about this address? I can't confirm but I believe PPTP server learned about it from the first response from its client. Anyway, you just need to configure FW to allow NATed address coming from inside your network to go out.

 

One disclaimer: This might not work if MS PPTP has been changed with this regard in the past year or so.

 

Hope this help

Sun Yu
CISSP, LCTE/InterNetworking, CCSE, CCNA
Lucent Technologies

-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of Gary Wilson
Sent: Tuesday, July 17, 2001 5:16 PM
To: fw-1-mailinglist@beethoven.us.checkpoint.com
Subject: [FW1] Can anyone say if PPTP and static NAT are definitely supported by V4.1????

Dear All

 

I need a definite answer on this:

 

Is if PPTP and static NAT are definitely supported or at LEAST POSSIBLE on FW1 V4.1????

 

I have tried all the tips I can find and still cannot get it working!

 

Running FW1 V4.1 SP2 on NT trying to VPN using Windows 2000 VPN (PPTP) to a Win2K server.

 

Firstly I have added the following and it still does not work:

 

Using static NAT to the pptp server

 

any, pptp-server, gre/pptp-tcp, accept, long
pptp-server, any, gre/pptp-tcp, accept, long

pptp-server is a group object containing for instance:
pptp-server-outside -static NAT (non RFC1918 "routeable" address exposed to the internet)
pptp-server-inside - internal 10.1.2.2 (RFC1918 address of the real server)

Address Translation configured in this manner:
(src,dest,svc,xlate-src,xlate-dest,xlate-svc)
any, pptp-server-outside, "ANY", original, pptp-server-inside (static nat), "original"
pptp-server-inside, any, "ANY", pptp-server-outside (static nat), original, "original"

This should statically nat's the internal server to a non-RFC1918 address that the remote user can connect to.  But it does not work....

 

Allowing the following through:

gre defined as ip_p = 47, [22:2,b] = 0x880B

port 1723

port 500

port 34827

 

STILL NO JOY.

 

ANY definitive answers would be most welcome!

 

Regards

Gary