?
Solved

VPN Server Ports?

Posted on 2003-03-06
12
Medium Priority
?
1,925 Views
Last Modified: 2011-10-03
I've got a few questions actually.  First I know if I want to setup a vpn behind nat I need to forward some ports.  TCP port 1723 (PPTP) and IP Protocol 47 (GRE).  Forwarding port 1723 is no problem as I have the ability to forward tcp and udp ports.  I'm not sure what tcp or udp port to forward when it comes to IP Protocol 47.  Sounds to me like if my router doesn't support vpn I can't forward IP Portocol 47.  If that is the case can I forward IP Protocol 47 if I am using a W2K server in routing and remote access.  I'm able to forward other ports but I only see the option for tcp and udp ports.  I have other questions but right now this is the biggest one.  Any light anyone can shed on this would be very helpful.
0
Comment
Question by:tnkrtrn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 7

Accepted Solution

by:
Goldwing earned 200 total points
ID: 8084402
Have you tried to get a VPN working with only opening 1723?
I've had a similar problem at a customer, and tried everything, eventually it was wasted time.. because it worked with only 1723
I also mapped a TCP port 500 to the server (i named it also a VPN port, but can't remember why)
0
 
LVL 7

Expert Comment

by:Goldwing
ID: 8084485
I just remembered, you NEED Port 500... and it's not TCP but UDP!
This did it for me at the customer, works like a charm.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8085876
Port 500 is only for IPSeC VPN, not PPTP vpn. What kind of router are you using? Most have a "DMZ" host that you can forward all traffic to one host. Also, if it is a linksys, there is fine print in the manual that says if you want to forward ports, you have to turn off DHCP server. Go figure..
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:tnkrtrn
ID: 8089162
Thanks for the responses guys.  I'm going to try Goldwing's solution tonite and I'll let you guys know if it worked this weekend.  Let me take a second to explain my setup to you.  I've got Ameritech DSL.  It comes into an Efficient Networks Speedstream 5861 (which is a dsl modem/router in one combo).  From there I have everything forwarded to my server (W2K Server box) and then data flows to my network.  If I need to forward any ports I forward them via the W2K server special ports.  I have tried to tell my company to get a different/better setup but they don't want to spend the money.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8089308
Ouch! This is a business setup?
0
 

Author Comment

by:tnkrtrn
ID: 8090804
Yep and not a good one but it's all I have to work with.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8102822
FYI TCP/UDP ports 500 are not necessary with Microsoft PPTP VPN. You need only TCP port 1723 and Protocol 47 (GRE). GRE has no concept of ports, so the best way is to use a static one-to-one NAT translation (basically what defining a DMZ host does) to forward all traffic, then setup some other specific filter rules.
I hope they'll spend the money when they get hacked into and everything they have is posted on the internet for the world to see. It will cost 10 times more after the fact, than it would cost to prevent it in the first place.

IMHO   <8-}
0
 

Author Comment

by:tnkrtrn
ID: 8103465
The both of you have helped me greatly.  How do I go about awarding points to two people.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8104046
You can post a question in Community Support area and ask a moderator to help you split points. Generally, they will reduce the value of this one, and suggest that you post a new question "points for <expert>" and a link back to this one in the body.

Cheers!
0
 

Author Comment

by:tnkrtrn
ID: 8104583
Excellent information.
0
 

Author Comment

by:tnkrtrn
ID: 8104625
Irmoore I setup another question so I could also award points to you.  http://www.experts-exchange.com/Networking/Broadband/VPN/Q_20545145.html  Thanks to all for your help.  I'll be back with more vpn questions ;-)
0
 
LVL 3

Expert Comment

by:MauriceX
ID: 8497694
Im not sure who here was in charge of putting in the "Accepted answer" but for true PPTP vpn, you MUST forward protocol 47!!! ROUTING AND REMOTE ACCESS DOES NOT SUPPORT PROTOCOL 47 FORWARDING!!!! a not so cheap and proper way of doing things would be to use Microsoft's ISA Server (Internet Security and Acelleration Server) to act as your "firewall". It installs on a NT box and does many more advanced options.
http://www.microsoft.com/isaserver/

Also, you should put your modem BACK into bridged mode instead of double nat'ing. use rasspppoe (available at http://www.raspppoe.com) to terminate your pppoe connection. Just install this free lightweight protocol. With it, you can use the standard DUN to establish a connection, which you would need for ISA server, or go into ports under routing and remote acess, allow it to terminate outgoing connections and create a demand-dial/presistant connection. THIS WILL NOT ONLY SPEED UP YOUR CONNECTION, BUT ALLOW WAY MORE FLEXABLITY!!!

Questions/Comments... Support
Jayme@Netflash.net
(been the best of the best for 17 years)
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question