shareef_yassin
asked on
how to bypass the pptp SSG550 6.1.0r2.0
Dear Sir,
kindly be informed that I have SSG550 v 6.1.0r2.0.my internal users arent enable to connect to external VPN servers when I followed the below artical it didnt work too. and in the same time I have ISA server in the DMZ to connect the users VPN it is stopped after I enabled ALG PPTP:
1-http://kb.juniper.net/InfoCenter/index?page=content&id=KB12309
2-http://kb.juniper.net/InfoCenter/index?page=content&id=KB4481
so please advise what i should do or how i trace the problem
kindly be informed that I have SSG550 v 6.1.0r2.0.my internal users arent enable to connect to external VPN servers when I followed the below artical it didnt work too. and in the same time I have ISA server in the DMZ to connect the users VPN it is stopped after I enabled ALG PPTP:
1-http://kb.juniper.net/InfoCenter/index?page=content&id=KB12309
2-http://kb.juniper.net/InfoCenter/index?page=content&id=KB4481
so please advise what i should do or how i trace the problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
also i need to mention that i disabled the PPTP ALG and no single session created
Bad news for you. You won't get support for 6.1 - end of life 28 Jan 2012. Support for 6.2 will end this year, and 6.3 end of 2015.
You can get documention without support contract (you may have to log in though) at http://www.juniper.net/support/downloads/screenos.html, but the software is available only with a contract - which is more expensive for 550 than for e.g. 320, but should still be in your budget if PPTP is an important feature.
Your only choices are:
Whether PPTP works without the ALG depends on your config. Inbound it won't work. Outbound you should be able to establish a single session. But NAT, MIP, DIP, routing and such can interfere with PPTP.
You can get documention without support contract (you may have to log in though) at http://www.juniper.net/support/downloads/screenos.html, but the software is available only with a contract - which is more expensive for 550 than for e.g. 320, but should still be in your budget if PPTP is an important feature.
Your only choices are:
use a MIP for each concurrent PPTP connection - i.e. you have to assign an unique, static public IP for each.
upgrade ScreenOS.
Whether PPTP works without the ALG depends on your config. Inbound it won't work. Outbound you should be able to establish a single session. But NAT, MIP, DIP, routing and such can interfere with PPTP.
ASKER
ok i can try to accept that outbound with single connection.but it didnt work too.
i allawed from inside to outside my private IP to outside any for the protocols PPTP,GRE,HTTP and DNS and in advanced chooses source translate with my dedicated real IP fix/port and it doesnt work too.
could you please advise
i allawed from inside to outside my private IP to outside any for the protocols PPTP,GRE,HTTP and DNS and in advanced chooses source translate with my dedicated real IP fix/port and it doesnt work too.
could you please advise
Trusted to Untrusted traffic has NAT applied by default (and that can't be changed). You do not need Source Translation of the policy hence, it might even interfere.
The most reliable way is to use a dedicated public IP address (MIP) for PPTP and GRE traffic - if you can't do that, because you only have a single public IP, port forwarding via a VIP definition can help (for port 1723 = PPTP and protocol 47 = GRE). A VIP is defined in the Untrust interface settings.
You can also try if switching on/off PPTP ALG works after rebooting SSG.
The most reliable way is to use a dedicated public IP address (MIP) for PPTP and GRE traffic - if you can't do that, because you only have a single public IP, port forwarding via a VIP definition can help (for port 1723 = PPTP and protocol 47 = GRE). A VIP is defined in the Untrust interface settings.
You can also try if switching on/off PPTP ALG works after rebooting SSG.
ASKER
how i can use the MIP?should i used it as destination nat translation "i mean in the same rule from inside to outside in the advanced tab use the destination translation instead of source translation"
ASKER
i created MIP on the outside interface and in the advanced tab in the inside to untrust rule didn't check any box and it doesn't work too
We will need exact data to further try to help you. Remember, we cannot see what you have done.
For example:
Your Untrust interface has IP 1.1.1.2, and you have 1.1.1.1 - 1.1.1.6 for your own purposes (that is a block of 8 IPs, minus 1 for the ISP router, one for network, one for broadcast => 5 IPs available).
You defined a MIP of 1.1.1.3 on the Untrust interface.
You created policies in both directions of Trust to Untrust for the MIP to/from any, without service restrictions (for starters).
You set up session logging on that policies.
That policies are topmost in both Trust to Untrust and Untrust to Trust.
Having done that, all traffic from your specific private IP should get logged, and you can be certain the policy and MIP setting are used.
For example:
Your Untrust interface has IP 1.1.1.2, and you have 1.1.1.1 - 1.1.1.6 for your own purposes (that is a block of 8 IPs, minus 1 for the ISP router, one for network, one for broadcast => 5 IPs available).
You defined a MIP of 1.1.1.3 on the Untrust interface.
You created policies in both directions of Trust to Untrust for the MIP to/from any, without service restrictions (for starters).
You set up session logging on that policies.
That policies are topmost in both Trust to Untrust and Untrust to Trust.
Having done that, all traffic from your specific private IP should get logged, and you can be certain the policy and MIP setting are used.
ASKER
that is the rule as i created from trust to untust and i used MIP
shareef yassin 10.15.20.9 Any CUSTOM PPTP,DNS,GRE,HTTP,HTTPS,PP
testpptp [Index: 2 Permit application service: IGNORE Logging Enabled Logging At Start Enabled]
shareef yassin 10.15.20.9 Any CUSTOM PPTP,DNS,GRE,HTTP,HTTPS,PP
testpptp [Index: 2 Permit application service: IGNORE Logging Enabled Logging At Start Enabled]
Do you see anything logged in that policy?
ASKER
yes as bellow :
2013-05-30 10:58:44 10.15.20.9:1283 dtsrealip::1723 myrealip:1283 81.x.x.221:1723 PPTP 33 sec. 668 630 Close - TCP FIN
2013-05-30 10:58:13 10.15.20.9:2048 dtsrealip::2048 myrealip:2048 81.x.x.221:2048 GRE 0 sec. 0 0 Creation
2013-05-30 10:58:11 10.15.20.9:1283 dtsrealip:1723 myrealip:1283 81.x.x.221:1723 PPTP 0 sec. 0 0 Creation
2013-05-30 10:58:44 10.15.20.9:1283 dtsrealip::1723 myrealip:1283 81.x.x.221:1723 PPTP 33 sec. 668 630 Close - TCP FIN
2013-05-30 10:58:13 10.15.20.9:2048 dtsrealip::2048 myrealip:2048 81.x.x.221:2048 GRE 0 sec. 0 0 Creation
2013-05-30 10:58:11 10.15.20.9:1283 dtsrealip:1723 myrealip:1283 81.x.x.221:1723 PPTP 0 sec. 0 0 Creation
I understand 10.15.20.9 is your PC's IP, which gets translated to myrealip. But is dtsrealip = 81.x.x.221? (I have removed parts of the public IP of your post for privacy reasons).
ASKER
yes
ASKER