Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Allowing PTPP conntion OUT through Firebox.

Posted on 2008-06-19
7
Medium Priority
?
1,250 Views
Last Modified: 2013-11-16
Hello All,

I have been reading through about allowing PTPP through Firebox X500. However, there are centred around those who have users wanting to VPN IN which we already have set up through our main ISP for our staff, what we have is two client who rent out two of our office spaces and I have them set up to go through our *secondary* ISP that has a Firebox X500 on it.

What they use for thier services is they VPN into thier system, then remote desktop. Now, going straight through the router the VPN is fines, but throuh the Firebox get Error 721 which says the computer is not responding because GRE isn't enbaled? However in the Policy Manager I have PTPP Service set up for both ports 1723 and IP 47 but it still doesn't work?

I have tried NATs but I don't see how they'd help for trying to connect OUT to a VPN... Why won't my Firebox just pass the traffic through? Am I forgetting something?
0
Comment
Question by:GTuddenham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21830053
By default all outbound traffic from behind WG to the internet is allowed; are they both going to the same VPN server; which policy do you have for outbound traffic. What subnet are these clients on behind the firebox.
Do you get any logs in the firebox traffic monitor when they try connecting to VPN from behind WG.

Please update.

Thank you.
0
 

Author Comment

by:GTuddenham
ID: 21843263
Yes, both going to the same VPN Server.

255.255.255.0, same as me, I'm accessing EE through this gateway that im trying to allow PPTP through. That's what I thought was strange as well, because Outgoing was allowed on all TCP/UDP.

06/23/08 12:27  kernel:  ip_fw_masq_gre(): Outbound GRE to 210.10.49.153 has no masq table entry.

That's what the traffic monitor comes up with.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1000 total points
ID: 21843768
As both the clients are going to the same VPN server there would be problems with dynamic NAT; if you have free public IP addresses then you can do 1-1 NAT for those clients, then the traffic from these clients would be NATed properly and there would be no problems; however, this way two of your public IP addresses would be reserved for traffic from these two clients only.

Please let know if you need details on configuring 1-1 NAT.

Thank you.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:GTuddenham
ID: 21863045
Thanks for that. Unfortunly we dont have any public IPs on that gateway, so i'll have to look into organising it through our other gateway. Which we just have to say what we want done and they make the changes, but opens up our firewall really just for two clients, Thanks for all your help!
0
 

Expert Comment

by:cscitltd
ID: 24078624
Hi

I know this thread is waaaayyyy old, but i have managed to get this working without using secondary IPs.  It is because the firebox is set to be a PPTP server itself and there fore binding GRE to itself.

To resolve this you must disable the FB for remote users by clearing the "Activate Remote User" under Network --> Remote User --> PPTP (tab), once this is done (and FB rebooted) PPTP out should work fine, obviously this is no good if you want to use the FB as a PPTP server!!

Hope this helps some people...
0
 

Expert Comment

by:mazzyman
ID: 38640780
I know this is ancient history now but I have a twist to this. I am experiencing the same problem with my FB x500 in that I can't create a pptp connection to a remove vpn server -- but only when the client is a Linux machine. There's no problem connecting to the remote server from a Windows client. That tells me that having the FB also configured as  a vpn server for incoming connections is not the problem, and it is apparently not necessary to do 1-1 NAT for the Windows client with a dedicated public IP address. I have confirmed that the Linux client can connect to the remote server if it's not behind the FB. (The linux client (CentOS 5.8) is a VM on my laptop using VMware Wkstn 9 and the pptp client works fine when it's behind a different firewall.) So the lethal combination appears to be the Linux client + the FB.

If anyone has any further insights into this I'd really appreciate hearing them. I'd prefer to not have to replace the FB since it's working well otherwise.

Thanks!
0
 

Expert Comment

by:Botia4
ID: 39318317
I am having the same issue on a Windows 7 machine trying to connect to an external VPN using PPTP.  Activate Remote User is not enabled.  Receive the following message in the log:
[date time]  kernel:  ip_fw_masq_gre(): Outbound GRE to [ipaddress] has no masq table entry. This is on a FB 700.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question