In my experience this is correct. I've also found that
many/most VPN's do not like to be initiated from behind a HIDE NAT'd
situation - easily fixed by doing a STATIC with a unique public IP (but
defeats the purpose of NAT in the first place if you have a number of users
needing this).
As an aside, for some reason I've found that when you put a
PPTP server behind CP 4.1 NAT and statically map a public IP, you also have
to create an object with the public IP, and create an inbound rule with that
public and the PPTP service object, as well as an inbound rule with the
internal IP (that has the NAT rule specified as well). Don't know why,
and it doesn't happen with other services (http, terminal services, pretty
much anything I've tried) where you only need to create a rule using the
internal address. With PPTP, if you just do the internal IP, you can
initiate a connection on port 1723, but it times out trying to
authenticate.
-----Original Message-----
From:
Crist Clark [mailto:[email protected]]
Sent: Tuesday, June 11, 2002 4:00 PM
To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this
"Holland, Stephen" wrote:
>
> > PPTP uses GRE which does not
contain port numbers and therefor, can not be
>
> used in conjunction with HIDE NAT (PAT) PPTP client and two or
more
> > simultaneous connections to the same
PPTP MS server. This is a flaw in
> >
GRE and the terminating server is not able to distinguish the two
> > different connection from the same IP (i.e.
PAT).
It is not a flaw in GRE (or the "enhanced-GRE" that PPTP
actually usese),
but is a limitation of the
Checkpoint NAT implementation. Have a look at
RFC
2637. The call ID field of the enhanced-GRE packet can easily be used
as an identifier which a NAT implementation may use to map
multiple enhanced-
GRE streams to separate
hosts.
That said, last I knew the Microsoft PPTP server
implementation still has a
limitation where it does
not understand how to deal with multiple control
connections (1723/tcp) from a single client. Since it sees the same
source
IP address from multiple clients behind the
firewall, it doesn't deal well.
So in that case,
although the firewall will do NAT on the TCP connection
fine, the server can't handle it. (But note this is not an issue when
the
_server_ is behind the NATing device. You can
have multiple clients (where
"multiple" means they
have different source IPs from the server's point
of
view) connect to a single server which is behind a NAT device. If the
enhanced-GRE is handled by the NAT implementation, it
should work fine.)
--
Crist
J.
Clark
[email protected]
Globalstar
Communications
The information contained in this e-mail message is
confidential,
intended only for the use of the
individual or entity named above.
If the reader of
this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient,
you are hereby notified that any review,
dissemination, distribution or
copying of this
communication is strictly prohibited. If you have
received this e-mail in error, please contact
[email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please
see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================