Re: Checkpoint-1 and PPTP Sessions

From: Don Kelloway (dkelloway@commodon.com)
Date: 03/21/03 

From: "Don Kelloway" <dkelloway@commodon.com>
Date: Fri, 21 Mar 2003 17:54:41 GMT

It's my understanding that a long standing issue with PPTP and NAT is that
it doesn't work when the client is behind or on the protected side of the
firewall. In essence, PPTP will work inbound through NAT, but it will not
work outbound. 

--
Best regards,
Don Kelloway
Commodon Communications
http://www.commodon.com
Visit http://www.commodon.com to learn about Back Orifice (BO), NetBus (NB),
SubSeven (Sub7), etc.  All of which are "Threats to Your Security on the
Internet".
"Carl W Crawley" <webmaster@wight365.net> wrote in message
news:v7ls3bk336fob0@corp.supernews.com...
> Hi All,
>
> I've just inherited a Nokia IP650 running Checkpoint-1 (v. 4.1 I believe)
> and I'm trying to get PPTP working on it without success.
>
> I've set up a NAT rule from my internal 10.x address to the public 195.x
> address and in the security table put the following:
>
> Source        Destination        Service
> ALL       --> NAT IP    -->   PPTP (TCP 1723 and GRE ip_p=47)
> NAT IP  -->    All        -->   PPTP (TCP 1723 and GRE ip_p=47)
>
> When I try instanciating a PPTP from the PC behind the firewall, it
> acknowledges, authenticates and then just sits there and doesn't do
> anything - the connection eventually then fails (port could not be
> established).
>
> Upon investigation by the people that run the PPTP server, they see my
> connection being established.. but from a different IP - it is infact the
IP
> address of the Firewall, not the IP address I've put in to NAT.
>
> Any idea what I'm missing to get this to work?
>
> Rgds,
>
> C.
>
>

Relevant Pages

  • Re: Defeating Firewalls: Sneaking Into Office Computers From Home
    ... > about security and network policies. ... desktop with a PPTP Connection icon and a Remote Desktop Icon. ... connection, they click the PPTP Icon, enter a user/password that is NOT ... If they authenticate with the firewall properly they double click the RD ...
    (comp.security.firewalls)
  • Re: VPN connection problem
    ... Protocol 47/GRE also needs to be allowed to pas through the firewall. ... your client vpn connectoid to use pptp as server type in properties/network type. ... > connection from my work PC which is in our LAN, ...
    (microsoft.public.win2000.security)
  • Re: VPN users behind a firewall
    ... > firewall, but I'm trying to find that out. ... > They're both making PPTP connnections to us with the built-in W2K ... > the second connection to be denied. ... many of the cheap routers only support one PPTP ...
    (comp.security.firewalls)
  • pptp connects first time only - error after disconnect try again
    ... I can establish a PPTP connection from a win2ksp3 clinet to win2ksp3 ... 271731 PPTP clients cannot connect to a PPTP server that has multiple IP ... There is a firewall between the clinet and server. ...
    (microsoft.public.win2000.networking)
  • Re: PPTP VPN using MPD behind NAT help needed
    ... Because PPTP encapsulates PPP ... Some router conqurs this problem by simply "passing ... Pass Through") assuming there is only one PPTP client behind NAT. ... which is capable of handling GRE over NAT with many clients. ...
    (freebsd-net)