VPN Server Ports?
I've got a few questions actually. First I know if I want to setup a vpn behind nat I need to forward some ports. TCP port 1723 (PPTP) and IP Protocol 47 (GRE). Forwarding port 1723 is no problem as I have the ability to forward tcp and udp ports. I'm not sure what tcp or udp port to forward when it comes to IP Protocol 47. Sounds to me like if my router doesn't support vpn I can't forward IP Portocol 47. If that is the case can I forward IP Protocol 47 if I am using a W2K server in routing and remote access. I'm able to forward other ports but I only see the option for tcp and udp ports. I have other questions but right now this is the biggest one. Any light anyone can shed on this would be very helpful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Port 500 is only for IPSeC VPN, not PPTP vpn. What kind of router are you using? Most have a "DMZ" host that you can forward all traffic to one host. Also, if it is a linksys, there is fine print in the manual that says if you want to forward ports, you have to turn off DHCP server. Go figure..
ASKER
Thanks for the responses guys. I'm going to try Goldwing's solution tonite and I'll let you guys know if it worked this weekend. Let me take a second to explain my setup to you. I've got Ameritech DSL. It comes into an Efficient Networks Speedstream 5861 (which is a dsl modem/router in one combo). From there I have everything forwarded to my server (W2K Server box) and then data flows to my network. If I need to forward any ports I forward them via the W2K server special ports. I have tried to tell my company to get a different/better setup but they don't want to spend the money.
Ouch! This is a business setup?
ASKER
Yep and not a good one but it's all I have to work with.
FYI TCP/UDP ports 500 are not necessary with Microsoft PPTP VPN. You need only TCP port 1723 and Protocol 47 (GRE). GRE has no concept of ports, so the best way is to use a static one-to-one NAT translation (basically what defining a DMZ host does) to forward all traffic, then setup some other specific filter rules.
I hope they'll spend the money when they get hacked into and everything they have is posted on the internet for the world to see. It will cost 10 times more after the fact, than it would cost to prevent it in the first place.
IMHO <8-}
I hope they'll spend the money when they get hacked into and everything they have is posted on the internet for the world to see. It will cost 10 times more after the fact, than it would cost to prevent it in the first place.
IMHO <8-}
ASKER
The both of you have helped me greatly. How do I go about awarding points to two people.
You can post a question in Community Support area and ask a moderator to help you split points. Generally, they will reduce the value of this one, and suggest that you post a new question "points for <expert>" and a link back to this one in the body.
Cheers!
Cheers!
ASKER
Excellent information.
ASKER
Irmoore I setup another question so I could also award points to you. https://www.experts-exchange.com/questions/20545145/Points-for-Irmoore.html Thanks to all for your help. I'll be back with more vpn questions ;-)
Im not sure who here was in charge of putting in the "Accepted answer" but for true PPTP vpn, you MUST forward protocol 47!!! ROUTING AND REMOTE ACCESS DOES NOT SUPPORT PROTOCOL 47 FORWARDING!!!! a not so cheap and proper way of doing things would be to use Microsoft's ISA Server (Internet Security and Acelleration Server) to act as your "firewall". It installs on a NT box and does many more advanced options.
http://www.microsoft.com/isaserver/
Also, you should put your modem BACK into bridged mode instead of double nat'ing. use rasspppoe (available at http://www.raspppoe.com) to terminate your pppoe connection. Just install this free lightweight protocol. With it, you can use the standard DUN to establish a connection, which you would need for ISA server, or go into ports under routing and remote acess, allow it to terminate outgoing connections and create a demand-dial/presistant connection. THIS WILL NOT ONLY SPEED UP YOUR CONNECTION, BUT ALLOW WAY MORE FLEXABLITY!!!
Questions/Comments... Support
Jayme@Netflash.net
(been the best of the best for 17 years)
http://www.microsoft.com/isaserver/
Also, you should put your modem BACK into bridged mode instead of double nat'ing. use rasspppoe (available at http://www.raspppoe.com) to terminate your pppoe connection. Just install this free lightweight protocol. With it, you can use the standard DUN to establish a connection, which you would need for ISA server, or go into ports under routing and remote acess, allow it to terminate outgoing connections and create a demand-dial/presistant connection. THIS WILL NOT ONLY SPEED UP YOUR CONNECTION, BUT ALLOW WAY MORE FLEXABLITY!!!
Questions/Comments... Support
Jayme@Netflash.net
(been the best of the best for 17 years)
This did it for me at the customer, works like a charm.