PPTP through Netcreen firewall not working

Tingathewinga
Tingathewinga used Ask the Experts™
on
Hi guys,

One of my clients had a failed modem so we went in and replaced it with a new Draytek modem and the onsite IT guy decided to use PPPOE passthrough to the netscreen, everything worked with the exception of PPTP htrough to an internal 2003 server.
I have posted the config of the netcreen here, -cfg.txt

Things to note are that the config used to have a MIP from 192.168.110.102 (external port on F/W) through to the 2003 server, this has been deleted as the ext f/w port is now the ISP WAN port. I tired to create a new MIP on that port but it complained about the port being in use already.

The PPTP vpn gets through to Verifying Username and password, but hangs there.
The 2003 server is on 172.22.3.2 or 172.22.3.1.

Appreciate any help with this.

Regards

Tinga
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You will need to create a VIP instead of a MIP since you now only have the one public IP. Without out it you will not be able to PPTP to the 2003 server

Commented:
seeing as you already have a VIP for serveral services. You will just need to add the PPTP services to the exising VIP. :)

Author

Commented:
Hi Sangamc,

The PPTP ports and GRE 47 are both a part of the PPTP-herc service already setup as a VIP

Cheers

Tinga
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Commented:
With a VIP you actually have to specify each port mapping separately. I have never had success when combining them, especially when I have more than five mappings.

It's probably only seeing the port secified in the VIP detention and thats why there is partial connexrovity

Author

Commented:
Excellent answer, I created two seperate services as mentioned and set the GRE to port 2048 and all is working well now, thank you.

Commented:
Wow was just about to answer with the following: ...

here is a PPTP config for a client of mine using a VIP. I kept only the useful parts. I turns out i only mapped one port 2048

set service "PPTP-47" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "PPTP-47" + tcp src-port 0-65535 dst-port 1723-1723
set service "PPTP-1723" protocol tcp src-port 0-65535 dst-port 1723-1723
...
set interface ethernet3 vip untrust 2048 "PPTP-47" 10.130.10.10 manual
...
set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "GRE" permit log

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial