Netscreen 5GT Outgoing PPTP
Hi all,
I know this has been discussed ad nauseum, but I am still not able to get this to work. Please could I trouble you all for some clarification...
I have a network, protected by a 5GT. I have ony ONE static, external IP address, which has been assigned to my untrust interface. At the moment, I have an outgoing any any PPTP rule. Funny thing is, there is one pptp server, which I can connect to without any problems. The one that I need to though, and others, halts when verifying username and password. I basically understand that GRE is not being routed back through the firewall, I guess. (it would help if the one I used to test didn't actually work)
I have read other posts advising to set up DIPS. Well, I have only one ext IP, so that is not an option for me (I think?) I don't mind the fact that I will only be able to have one connection out at a time, it is just for testing a project, which is due soon.
I tried to set up a dip, using a range that only included my one address, ie. 1.1.1.1 ~ 1.1.1.1 - but that didn't work. I got an ###invalid dip parameter message. So I guess I am on the wrong track there.
I also read about using MIPS. Well I tried to create a MIP, with a mapped ip - same as untrust /static external IP, to the one host IP I wanted to test from, and I got an error that one of the ip's in the suggested range was in use... So THAT won't work either...
Sorry all, but I am tearing my hair out - surely this shouldn't be this difficult?
Thank you in advance for your help...
ZM
I know this has been discussed ad nauseum, but I am still not able to get this to work. Please could I trouble you all for some clarification...
I have a network, protected by a 5GT. I have ony ONE static, external IP address, which has been assigned to my untrust interface. At the moment, I have an outgoing any any PPTP rule. Funny thing is, there is one pptp server, which I can connect to without any problems. The one that I need to though, and others, halts when verifying username and password. I basically understand that GRE is not being routed back through the firewall, I guess. (it would help if the one I used to test didn't actually work)
I have read other posts advising to set up DIPS. Well, I have only one ext IP, so that is not an option for me (I think?) I don't mind the fact that I will only be able to have one connection out at a time, it is just for testing a project, which is due soon.
I tried to set up a dip, using a range that only included my one address, ie. 1.1.1.1 ~ 1.1.1.1 - but that didn't work. I got an ###invalid dip parameter message. So I guess I am on the wrong track there.
I also read about using MIPS. Well I tried to create a MIP, with a mapped ip - same as untrust /static external IP, to the one host IP I wanted to test from, and I got an error that one of the ip's in the suggested range was in use... So THAT won't work either...
Sorry all, but I am tearing my hair out - surely this shouldn't be this difficult?
Thank you in advance for your help...
ZM
ASKER
Version 5.0.0r8.1.
Fine, thats ok - but WHY am I getting an error, when trying to create a DIP? What do I need to do to create a DIP, with only ONE static IP address? BTW I have several VIP's configured - could those be preventing me from creating a DIP?
Thanks,,
ZM
No, the DIP address pool range has to be different from the ip address assigned on the untrust interface, may be it be a single ip address. The ultimatum is that you can't use the same address, you need to have another address.
and No, the VIPs doesn't interfere, they're only for incoming traffic.
Cheers,
Rajesh
and No, the VIPs doesn't interfere, they're only for incoming traffic.
Cheers,
Rajesh
ASKER
I simply created an outgoing policy - trust to untrust any any for pptp service. This allows me to go out with one connection at a time ( and to only one IP address...) Still no response from Juniper.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry - thanks Rajesh.
thnx for the points.
Cheers,
Rajesh
Cheers,
Rajesh
Right now, I don't know of anyway other than using DIP, the reason being individual pptp connections *has* to be differentiated by individual ip addresses. This is a known problem.
Cheers,
Rajesh