Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

how to bypass the pptp SSG550 6.1.0r2.0

Dear Sir,

kindly be informed that I have SSG550 v 6.1.0r2.0.my internal users arent enable to connect to external VPN servers when I followed the below artical it didnt work too. and in the same time I have ISA server in the DMZ to connect the users VPN it is stopped after I enabled ALG PPTP:

1-http://kb.juniper.net/InfoCenter/index?page=content&id=KB12309
2-http://kb.juniper.net/InfoCenter/index?page=content&id=KB4481

so please advise what i should do or how i trace the problem
0
shareef_yassin
Asked:
shareef_yassin
  • 8
  • 6
1 Solution
 
QlemoC++ DeveloperCommented:
The PPTP ALG of ScreenOS 6 went thru a lot of patches. I myself had several support cases with Juniper in regard of that. If you do not use the PPTP ALG, a single PPTP session can be created. If you use the PPTP ALG, it depends on randomly chosen session states, and whether unique source amd target IPs are involved. It is quite complex because of GRE in combination with NAT and stateful firewall demands.

Using ScreenOS 6.1 for SSGs isn't recommended. You should at least have a 6.2, better 6.3. Additionally your 6.1 release is almost unpatched. If you have to stay with 6.1 for any reason (which I can't imagine at all), you need to go for the 6.1.0r7. But IIRC PPTP ALG worked reliably not before late 6.2 or even 6.3. We use 6.3.0r13, and having no issues anymore, but it worked much better with 6.2 than with 6.1.
0
 
shareef_yassinAuthor Commented:
so how i can upgrade this version as i dont have support from juniper?  from where i can download this version?what is the effects that may occur to interrupt my production?
0
 
shareef_yassinAuthor Commented:
also i need to mention that i disabled the PPTP ALG  and no single session created
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
QlemoC++ DeveloperCommented:
Bad news for you. You won't get support for 6.1 - end of life 28 Jan 2012. Support for 6.2 will end this year, and 6.3 end of 2015.
You can get documention without support contract (you may have to log in though) at http://www.juniper.net/support/downloads/screenos.html, but the software is available only with a contract - which is more expensive for 550 than for e.g. 320, but should still be in your budget if PPTP is an important feature.

Your only choices are:
use a MIP for each concurrent PPTP connection - i.e. you have to assign an unique, static public IP for each.
upgrade ScreenOS.

Whether PPTP works without the ALG depends on your config. Inbound it won't work. Outbound you should be able to establish a single session. But NAT, MIP, DIP, routing and such can interfere with PPTP.
0
 
shareef_yassinAuthor Commented:
ok i can try to accept that outbound with single connection.but it didnt work too.

i allawed from inside to outside my private IP to outside any for the protocols PPTP,GRE,HTTP and DNS and in advanced chooses source translate with my dedicated real IP fix/port and it doesnt work too.

could you please advise
0
 
QlemoC++ DeveloperCommented:
Trusted to Untrusted traffic has NAT applied by default (and that can't be changed). You do not need Source Translation of the policy hence, it might even interfere.

The most reliable way is to use a dedicated public IP address (MIP) for PPTP and GRE traffic - if you can't do that, because you only have a single public IP, port forwarding via a VIP definition can help (for port 1723 = PPTP and protocol 47 = GRE). A VIP is defined in the Untrust interface settings.

You can also try if switching on/off PPTP ALG works after rebooting SSG.
0
 
shareef_yassinAuthor Commented:
how i can use the MIP?should i used it as destination nat translation "i mean in the same rule from inside to outside in the advanced tab use the destination translation instead of source translation"
0
 
shareef_yassinAuthor Commented:
i created MIP on the outside interface and in the advanced tab in the inside to untrust rule didn't check any box and it doesn't work too
0
 
QlemoC++ DeveloperCommented:
We will need exact data to further try to help you. Remember, we cannot see what you have done.

For example:
Your Untrust interface has IP 1.1.1.2, and you have 1.1.1.1 - 1.1.1.6 for your own purposes (that is a block of 8 IPs, minus 1 for the ISP router, one for network, one for broadcast => 5 IPs available).
You defined a MIP of 1.1.1.3 on the Untrust interface.
You created policies in both directions of Trust to Untrust for the MIP to/from any, without service restrictions (for starters).
You set up session logging on that policies.
That policies are topmost in both Trust to Untrust and Untrust to Trust.

Having done that, all traffic from your specific private IP should get logged, and you can be certain the policy and MIP setting are used.
0
 
shareef_yassinAuthor Commented:
that is the rule as i created from trust to untust and i used MIP
shareef yassin 10.15.20.9      Any      CUSTOM PPTP,DNS,GRE,HTTP,HTTPS,PPTP
testpptp      [Index: 2 Permit application service: IGNORE Logging Enabled Logging At Start Enabled]
0
 
QlemoC++ DeveloperCommented:
Do you see anything logged in that policy?
0
 
shareef_yassinAuthor Commented:
yes as bellow :
2013-05-30 10:58:44      10.15.20.9:1283      dtsrealip::1723      myrealip:1283      81.x.x.221:1723      PPTP      33 sec.      668      630      Close - TCP FIN

2013-05-30 10:58:13      10.15.20.9:2048      dtsrealip::2048      myrealip:2048      81.x.x.221:2048      GRE      0 sec.      0      0      Creation
2013-05-30 10:58:11      10.15.20.9:1283      dtsrealip:1723       myrealip:1283      81.x.x.221:1723      PPTP      0 sec.      0      0      Creation
0
 
QlemoC++ DeveloperCommented:
I understand 10.15.20.9 is your PC's IP, which gets translated to myrealip. But is dtsrealip = 81.x.x.221? (I have removed parts of the public IP of your post for privacy reasons).
0
 
shareef_yassinAuthor Commented:
yes
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now