In my experience this is correct. I've also found that
many/most VPN's do not like to be initiated from behind a HIDE NAT'd situation
- easily fixed by doing a STATIC with a unique public IP (but defeats the
purpose of NAT in the first place if you have a number of users needing
this).
As an aside, for some reason I've found that when you put a
PPTP server behind CP 4.1 NAT and statically map a public IP, you also have to
create an object with the public IP, and create an inbound rule with that
public and the PPTP service object, as well as an inbound rule with the
internal IP (that has the NAT rule specified as well). Don't know why,
and it doesn't happen with other services (http, terminal services, pretty
much anything I've tried) where you only need to create a rule using the
internal address. With PPTP, if you just do the internal IP, you can
initiate a connection on port 1723, but it times out trying to
authenticate.
-----Original Message-----
From: Crist
Clark [mailto:[email protected]]
Sent: Tuesday, June 11, 2002 4:00 PM
To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this
"Holland, Stephen" wrote:
>
> > PPTP uses GRE which does not contain port numbers
and therefor, can not be
> > used in conjunction
with HIDE NAT (PAT) PPTP client and two or more
>
> simultaneous connections to the same PPTP MS server. This is a flaw
in
> > GRE and the terminating server is not
able to distinguish the two
> > different
connection from the same IP (i.e. PAT).
It is not a flaw in GRE (or the "enhanced-GRE" that PPTP
actually usese),
but is a limitation of the Checkpoint
NAT implementation. Have a look at
RFC 2637. The call
ID field of the enhanced-GRE packet can easily be used
as an identifier which a NAT implementation may use to map multiple
enhanced-
GRE streams to separate hosts.
That said, last I knew the Microsoft PPTP server
implementation still has a
limitation where it does
not understand how to deal with multiple control
connections (1723/tcp) from a single client. Since it sees the same
source
IP address from multiple clients behind the
firewall, it doesn't deal well.
So in that case,
although the firewall will do NAT on the TCP connection
fine, the server can't handle it. (But note this is not an issue when
the
_server_ is behind the NATing device. You can have
multiple clients (where
"multiple" means they have
different source IPs from the server's point
of view)
connect to a single server which is behind a NAT device. If the
enhanced-GRE is handled by the NAT implementation, it should
work fine.)
--
Crist J.
Clark
[email protected]
Globalstar
Communications
The information contained in this e-mail message is
confidential,
intended only for the use of the
individual or entity named above.
If the reader of
this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient,
you are hereby notified that any review,
dissemination, distribution or
copying of this
communication is strictly prohibited. If you have
received this e-mail in error, please contact
[email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please
see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================