In my experience this is correct. I've also found
that many/most VPN's do not like to be initiated from behind a HIDE NAT'd
situation - easily fixed by doing a STATIC with a unique public IP (but
defeats the purpose of NAT in the first place if you have a number of
users needing this).
As an aside, for some reason I've found that when you put
a PPTP server behind CP 4.1 NAT and statically map a public IP, you also
have to create an object with the public IP, and create an inbound rule
with that public and the PPTP service object, as well as an inbound rule
with the internal IP (that has the NAT rule specified as well).
Don't know why, and it doesn't happen with other services (http, terminal
services, pretty much anything I've tried) where you only need to create a
rule using the internal address. With PPTP, if you just do the
internal IP, you can initiate a connection on port 1723, but it times out
trying to authenticate.
-----Original Message-----
From:
Crist Clark [mailto:[email protected]]
Sent: Tuesday, June 11, 2002 4:00 PM
To: [email protected]
Subject: Re: [FW-1] Can anyone confirm this
"Holland, Stephen" wrote:
>
> > PPTP uses GRE which does not
contain port numbers and therefor, can not be
>
> used in conjunction with HIDE NAT (PAT) PPTP client and two or
more
> > simultaneous connections to the
same PPTP MS server. This is a flaw in
>
> GRE and the terminating server is not able to distinguish the
two
> > different connection from the same
IP (i.e. PAT).
It is not a flaw in GRE (or the "enhanced-GRE" that PPTP
actually usese),
but is a limitation of the
Checkpoint NAT implementation. Have a look at
RFC
2637. The call ID field of the enhanced-GRE packet can easily be
used
as an identifier which a NAT implementation
may use to map multiple enhanced-
GRE streams to
separate hosts.
That said, last I knew the Microsoft PPTP server
implementation still has a
limitation where it
does not understand how to deal with multiple control
connections (1723/tcp) from a single client. Since it sees the same
source
IP address from multiple clients behind the
firewall, it doesn't deal well.
So in that case,
although the firewall will do NAT on the TCP connection
fine, the server can't handle it. (But note this is not an issue
when the
_server_ is behind the NATing device. You
can have multiple clients (where
"multiple" means
they have different source IPs from the server's point
of view) connect to a single server which is behind a NAT device.
If the
enhanced-GRE is handled by the NAT
implementation, it should work fine.)
--
Crist J.
Clark
[email protected]
Globalstar
Communications
The information contained in this e-mail message is
confidential,
intended only for the use of the
individual or entity named above.
If the reader of
this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient,
you are hereby notified that any
review, dissemination, distribution or
copying of
this communication is strictly prohibited. If you have
received this e-mail in error, please contact
[email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================