NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Can anyone confirm this



Title: Message
Glenn,
 
Re the aside on a PPTP server behind CP4.1 static NAT, I ran into this conundrum on a client site as well, not ever completely understanding why I needed an *inbound* as well as an *outbound* rule for a stateful connection... best I could figure was that GRE/PPTP isn't quite as stateful the "usual" traffic.  However, what I actually got working was two rules:
 
Inbound rule:    Any (src) --> PPTP-Internal-IP (dest) PPTP (svc)
Outbound rule:  PPTP-External-IP (src) --> Any (dest) PPTP (svc)
 
This sounds a little bit tighter than what you described.  This didn't work for you?  Or maybe the 2-inbound-rule and the ruleset above are equivalent in terms of the net (perceptible) effect on the user?
 
-----Original Message-----
From: Glenn Mabbutt [mailto:[email protected]]
Sent: Tuesday, June 11, 2002 1:59 PM
To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this

In my experience this is correct.  I've also found that many/most VPN's do not like to be initiated from behind a HIDE NAT'd situation - easily fixed by doing a STATIC with a unique public IP (but defeats the purpose of NAT in the first place if you have a number of users needing this).

As an aside, for some reason I've found that when you put a PPTP server behind CP 4.1 NAT and statically map a public IP, you also have to create an object with the public IP, and create an inbound rule with that public and the PPTP service object, as well as an inbound rule with the internal IP (that has the NAT rule specified as well).  Don't know why, and it doesn't happen with other services (http, terminal services, pretty much anything I've tried) where you only need to create a rule using the internal address.  With PPTP, if you just do the internal IP, you can initiate a connection on port 1723, but it times out trying to authenticate.

-----Original Message-----
From: Crist Clark [mailto:[email protected]]
Sent: Tuesday, June 11, 2002 4:00 PM
To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this


"Holland, Stephen" wrote:
>
> > PPTP uses GRE which does not contain port numbers and therefor, can not be
> > used in conjunction with HIDE NAT (PAT) PPTP client and two or more
> > simultaneous connections to the same PPTP MS server.  This is a flaw in
> > GRE and the terminating server is not able to distinguish the two
> > different connection from the same IP (i.e. PAT).

It is not a flaw in GRE (or the "enhanced-GRE" that PPTP actually usese),
but is a limitation of the Checkpoint NAT implementation. Have a look at
RFC 2637. The call ID field of the enhanced-GRE packet can easily be used
as an identifier which a NAT implementation may use to map multiple enhanced-
GRE streams to separate hosts.

That said, last I knew the Microsoft PPTP server implementation still has a
limitation where it does not understand how to deal with multiple control
connections (1723/tcp) from a single client. Since it sees the same source
IP address from multiple clients behind the firewall, it doesn't deal well.
So in that case, although the firewall will do NAT on the TCP connection
fine, the server can't handle it. (But note this is not an issue when the
_server_ is behind the NATing device. You can have multiple clients (where
"multiple" means they have different source IPs from the server's point
of view) connect to a single server which is behind a NAT device. If the
enhanced-GRE is handled by the NAT implementation, it should work fine.)
--
Crist J. Clark                               [email protected]
Globalstar Communications                               

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.