Gary,
As far
as I know, Check Point would say 'PPTP with static NAT' is definately NOT
supported configuration. Below is a way I once made it work though. But
remember that you'll not be able to get technical support from Check Point with
this configuration because of their official stance.
Along
with your all configurations you have already;
Create
an object with the NATed PPTP server address.
Then,
allow a GRE service from above object going out.
Rationale behind this configuration is really weird.
You'll see a GRE packet from the PPTP server has a NATed address as its source
address. How this PPTP server know about this address? I can't confirm but I
believe PPTP server learned about it from the first response from its client.
Anyway, you just need to configure FW to allow NATed address coming from inside
your network to go out.
One
disclaimer: This might not work if MS PPTP has been changed with this regard in
the past year or so.
Hope
this help
Sun Yu CISSP, LCTE/InterNetworking, CCSE, CCNA Lucent Technologies
Dear
All
I
need a definite answer on this:
Is
if PPTP and static NAT are definitely supported or at LEAST POSSIBLE on
FW1 V4.1????
I
have tried all the tips I can find and still cannot get it
working!
Running FW1 V4.1 SP2 on NT trying to VPN using
Windows 2000 VPN (PPTP) to a Win2K server.
Firstly I have added the following and it still does
not work:
Using static NAT to the
pptp server
any, pptp-server,
gre/pptp-tcp, accept, long pptp-server, any, gre/pptp-tcp, accept,
long
pptp-server is a group object containing for
instance: pptp-server-outside -static NAT (non RFC1918 "routeable" address
exposed to the internet) pptp-server-inside - internal 10.1.2.2 (RFC1918
address of the real server)
Address
Translation configured in this
manner: (src,dest,svc,xlate-src,xlate-dest,xlate-svc) any,
pptp-server-outside, "ANY", original, pptp-server-inside (static nat),
"original" pptp-server-inside, any, "ANY", pptp-server-outside (static
nat), original, "original"
This should statically nat's the internal
server to a non-RFC1918 address that the remote user can connect to. But
it does not work....
Allowing the following through:
gre
defined as ip_p = 47,
[22:2,b] = 0x880B
port
1723
port 500
port
34827
STILL NO JOY.
ANY definitive
answers would be most welcome!
Regards
Gary
|