Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Can anyone confirm this

To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this
From: Crist Clark <[email protected]>
Date: Tue, 11 Jun 2002 12:59:45 -0700
Organization: Globalstar Communications
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

"Holland, Stephen" wrote:
>
> > PPTP uses GRE which does not contain port numbers and therefor, can not be
> > used in conjunction with HIDE NAT (PAT) PPTP client and two or more
> > simultaneous connections to the same PPTP MS server.  This is a flaw in
> > GRE and the terminating server is not able to distinguish the two
> > different connection from the same IP (i.e. PAT).

It is not a flaw in GRE (or the "enhanced-GRE" that PPTP actually usese),
but is a limitation of the Checkpoint NAT implementation. Have a look at
RFC 2637. The call ID field of the enhanced-GRE packet can easily be used
as an identifier which a NAT implementation may use to map multiple enhanced-
GRE streams to separate hosts.

That said, last I knew the Microsoft PPTP server implementation still has a
limitation where it does not understand how to deal with multiple control
connections (1723/tcp) from a single client. Since it sees the same source
IP address from multiple clients behind the firewall, it doesn't deal well.
So in that case, although the firewall will do NAT on the TCP connection
fine, the server can't handle it. (But note this is not an issue when the
_server_ is behind the NATing device. You can have multiple clients (where
"multiple" means they have different source IPs from the server's point
of view) connect to a single server which is behind a NAT device. If the
enhanced-GRE is handled by the NAT implementation, it should work fine.)
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Can anyone confirm this
  - From: "Holland, Stephen" <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint FW-1 Secure Client & XP ICS
Next by Date: Re: [FW-1] HTTP security sever woes on NG... almost there!
Previous by thread: [FW-1] Can anyone confirm this
Next by thread: Re: [FW-1] Can anyone confirm this
Index(es):
- Date
- Thread