Solved

how to bypass the pptp SSG550  6.1.0r2.0

Posted on 2013-05-26
14
325 Views
Last Modified: 2014-04-01
Dear Sir,

kindly be informed that I have SSG550 v 6.1.0r2.0.my internal users arent enable to connect to external VPN servers when I followed the below artical it didnt work too. and in the same time I have ISA server in the DMZ to connect the users VPN it is stopped after I enabled ALG PPTP:

1-http://kb.juniper.net/InfoCenter/index?page=content&id=KB12309
2-http://kb.juniper.net/InfoCenter/index?page=content&id=KB4481

so please advise what i should do or how i trace the problem
0
Comment
Question by:shareef_yassin
  • 8
  • 6
14 Comments
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39197674
The PPTP ALG of ScreenOS 6 went thru a lot of patches. I myself had several support cases with Juniper in regard of that. If you do not use the PPTP ALG, a single PPTP session can be created. If you use the PPTP ALG, it depends on randomly chosen session states, and whether unique source amd target IPs are involved. It is quite complex because of GRE in combination with NAT and stateful firewall demands.

Using ScreenOS 6.1 for SSGs isn't recommended. You should at least have a 6.2, better 6.3. Additionally your 6.1 release is almost unpatched. If you have to stay with 6.1 for any reason (which I can't imagine at all), you need to go for the 6.1.0r7. But IIRC PPTP ALG worked reliably not before late 6.2 or even 6.3. We use 6.3.0r13, and having no issues anymore, but it worked much better with 6.2 than with 6.1.
0
 

Author Comment

by:shareef_yassin
ID: 39197726
so how i can upgrade this version as i dont have support from juniper?  from where i can download this version?what is the effects that may occur to interrupt my production?
0
 

Author Comment

by:shareef_yassin
ID: 39197764
also i need to mention that i disabled the PPTP ALG  and no single session created
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39197778
Bad news for you. You won't get support for 6.1 - end of life 28 Jan 2012. Support for 6.2 will end this year, and 6.3 end of 2015.
You can get documention without support contract (you may have to log in though) at http://www.juniper.net/support/downloads/screenos.html, but the software is available only with a contract - which is more expensive for 550 than for e.g. 320, but should still be in your budget if PPTP is an important feature.

Your only choices are:
use a MIP for each concurrent PPTP connection - i.e. you have to assign an unique, static public IP for each.
upgrade ScreenOS.

Whether PPTP works without the ALG depends on your config. Inbound it won't work. Outbound you should be able to establish a single session. But NAT, MIP, DIP, routing and such can interfere with PPTP.
0
 

Author Comment

by:shareef_yassin
ID: 39198575
ok i can try to accept that outbound with single connection.but it didnt work too.

i allawed from inside to outside my private IP to outside any for the protocols PPTP,GRE,HTTP and DNS and in advanced chooses source translate with my dedicated real IP fix/port and it doesnt work too.

could you please advise
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39198619
Trusted to Untrusted traffic has NAT applied by default (and that can't be changed). You do not need Source Translation of the policy hence, it might even interfere.

The most reliable way is to use a dedicated public IP address (MIP) for PPTP and GRE traffic - if you can't do that, because you only have a single public IP, port forwarding via a VIP definition can help (for port 1723 = PPTP and protocol 47 = GRE). A VIP is defined in the Untrust interface settings.

You can also try if switching on/off PPTP ALG works after rebooting SSG.
0
 

Author Comment

by:shareef_yassin
ID: 39198621
how i can use the MIP?should i used it as destination nat translation "i mean in the same rule from inside to outside in the advanced tab use the destination translation instead of source translation"
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:shareef_yassin
ID: 39198640
i created MIP on the outside interface and in the advanced tab in the inside to untrust rule didn't check any box and it doesn't work too
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39198829
We will need exact data to further try to help you. Remember, we cannot see what you have done.

For example:
Your Untrust interface has IP 1.1.1.2, and you have 1.1.1.1 - 1.1.1.6 for your own purposes (that is a block of 8 IPs, minus 1 for the ISP router, one for network, one for broadcast => 5 IPs available).
You defined a MIP of 1.1.1.3 on the Untrust interface.
You created policies in both directions of Trust to Untrust for the MIP to/from any, without service restrictions (for starters).
You set up session logging on that policies.
That policies are topmost in both Trust to Untrust and Untrust to Trust.

Having done that, all traffic from your specific private IP should get logged, and you can be certain the policy and MIP setting are used.
0
 

Author Comment

by:shareef_yassin
ID: 39204366
that is the rule as i created from trust to untust and i used MIP
shareef yassin 10.15.20.9      Any      CUSTOM PPTP,DNS,GRE,HTTP,HTTPS,PPTP
testpptp      [Index: 2 Permit application service: IGNORE Logging Enabled Logging At Start Enabled]
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39204387
Do you see anything logged in that policy?
0
 

Author Comment

by:shareef_yassin
ID: 39206886
yes as bellow :
2013-05-30 10:58:44      10.15.20.9:1283      dtsrealip::1723      myrealip:1283      81.x.x.221:1723      PPTP      33 sec.      668      630      Close - TCP FIN

2013-05-30 10:58:13      10.15.20.9:2048      dtsrealip::2048      myrealip:2048      81.x.x.221:2048      GRE      0 sec.      0      0      Creation
2013-05-30 10:58:11      10.15.20.9:1283      dtsrealip:1723       myrealip:1283      81.x.x.221:1723      PPTP      0 sec.      0      0      Creation
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39207185
I understand 10.15.20.9 is your PC's IP, which gets translated to myrealip. But is dtsrealip = 81.x.x.221? (I have removed parts of the public IP of your post for privacy reasons).
0
 

Author Comment

by:shareef_yassin
ID: 39247795
yes
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now