?
Solved

VPN Server Ports?

Posted on 2003-03-06
12
Medium Priority
?
1,933 Views
Last Modified: 2011-10-03
I've got a few questions actually.  First I know if I want to setup a vpn behind nat I need to forward some ports.  TCP port 1723 (PPTP) and IP Protocol 47 (GRE).  Forwarding port 1723 is no problem as I have the ability to forward tcp and udp ports.  I'm not sure what tcp or udp port to forward when it comes to IP Protocol 47.  Sounds to me like if my router doesn't support vpn I can't forward IP Portocol 47.  If that is the case can I forward IP Protocol 47 if I am using a W2K server in routing and remote access.  I'm able to forward other ports but I only see the option for tcp and udp ports.  I have other questions but right now this is the biggest one.  Any light anyone can shed on this would be very helpful.
0
Comment
Question by:tnkrtrn
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 7

Accepted Solution

by:
Goldwing earned 200 total points
ID: 8084402
Have you tried to get a VPN working with only opening 1723?
I've had a similar problem at a customer, and tried everything, eventually it was wasted time.. because it worked with only 1723
I also mapped a TCP port 500 to the server (i named it also a VPN port, but can't remember why)
0
 
LVL 7

Expert Comment

by:Goldwing
ID: 8084485
I just remembered, you NEED Port 500... and it's not TCP but UDP!
This did it for me at the customer, works like a charm.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8085876
Port 500 is only for IPSeC VPN, not PPTP vpn. What kind of router are you using? Most have a "DMZ" host that you can forward all traffic to one host. Also, if it is a linksys, there is fine print in the manual that says if you want to forward ports, you have to turn off DHCP server. Go figure..
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:tnkrtrn
ID: 8089162
Thanks for the responses guys.  I'm going to try Goldwing's solution tonite and I'll let you guys know if it worked this weekend.  Let me take a second to explain my setup to you.  I've got Ameritech DSL.  It comes into an Efficient Networks Speedstream 5861 (which is a dsl modem/router in one combo).  From there I have everything forwarded to my server (W2K Server box) and then data flows to my network.  If I need to forward any ports I forward them via the W2K server special ports.  I have tried to tell my company to get a different/better setup but they don't want to spend the money.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8089308
Ouch! This is a business setup?
0
 

Author Comment

by:tnkrtrn
ID: 8090804
Yep and not a good one but it's all I have to work with.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8102822
FYI TCP/UDP ports 500 are not necessary with Microsoft PPTP VPN. You need only TCP port 1723 and Protocol 47 (GRE). GRE has no concept of ports, so the best way is to use a static one-to-one NAT translation (basically what defining a DMZ host does) to forward all traffic, then setup some other specific filter rules.
I hope they'll spend the money when they get hacked into and everything they have is posted on the internet for the world to see. It will cost 10 times more after the fact, than it would cost to prevent it in the first place.

IMHO   <8-}
0
 

Author Comment

by:tnkrtrn
ID: 8103465
The both of you have helped me greatly.  How do I go about awarding points to two people.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8104046
You can post a question in Community Support area and ask a moderator to help you split points. Generally, they will reduce the value of this one, and suggest that you post a new question "points for <expert>" and a link back to this one in the body.

Cheers!
0
 

Author Comment

by:tnkrtrn
ID: 8104583
Excellent information.
0
 

Author Comment

by:tnkrtrn
ID: 8104625
Irmoore I setup another question so I could also award points to you.  http://www.experts-exchange.com/Networking/Broadband/VPN/Q_20545145.html  Thanks to all for your help.  I'll be back with more vpn questions ;-)
0
 
LVL 3

Expert Comment

by:MauriceX
ID: 8497694
Im not sure who here was in charge of putting in the "Accepted answer" but for true PPTP vpn, you MUST forward protocol 47!!! ROUTING AND REMOTE ACCESS DOES NOT SUPPORT PROTOCOL 47 FORWARDING!!!! a not so cheap and proper way of doing things would be to use Microsoft's ISA Server (Internet Security and Acelleration Server) to act as your "firewall". It installs on a NT box and does many more advanced options.
http://www.microsoft.com/isaserver/

Also, you should put your modem BACK into bridged mode instead of double nat'ing. use rasspppoe (available at http://www.raspppoe.com) to terminate your pppoe connection. Just install this free lightweight protocol. With it, you can use the standard DUN to establish a connection, which you would need for ISA server, or go into ports under routing and remote acess, allow it to terminate outgoing connections and create a demand-dial/presistant connection. THIS WILL NOT ONLY SPEED UP YOUR CONNECTION, BUT ALLOW WAY MORE FLEXABLITY!!!

Questions/Comments... Support
Jayme@Netflash.net
(been the best of the best for 17 years)
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question