Link to home
Start Free TrialLog in
Avatar of shareef_yassin

asked on

how to bypass the pptp SSG550 6.1.0r2.0

Dear Sir,

kindly be informed that I have SSG550 v internal users arent enable to connect to external VPN servers when I followed the below artical it didnt work too. and in the same time I have ISA server in the DMZ to connect the users VPN it is stopped after I enabled ALG PPTP:


so please advise what i should do or how i trace the problem
Avatar of Qlemo
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of shareef_yassin


so how i can upgrade this version as i dont have support from juniper?  from where i can download this version?what is the effects that may occur to interrupt my production?
also i need to mention that i disabled the PPTP ALG  and no single session created
Bad news for you. You won't get support for 6.1 - end of life 28 Jan 2012. Support for 6.2 will end this year, and 6.3 end of 2015.
You can get documention without support contract (you may have to log in though) at, but the software is available only with a contract - which is more expensive for 550 than for e.g. 320, but should still be in your budget if PPTP is an important feature.

Your only choices are:
use a MIP for each concurrent PPTP connection - i.e. you have to assign an unique, static public IP for each.
upgrade ScreenOS.

Whether PPTP works without the ALG depends on your config. Inbound it won't work. Outbound you should be able to establish a single session. But NAT, MIP, DIP, routing and such can interfere with PPTP.
ok i can try to accept that outbound with single connection.but it didnt work too.

i allawed from inside to outside my private IP to outside any for the protocols PPTP,GRE,HTTP and DNS and in advanced chooses source translate with my dedicated real IP fix/port and it doesnt work too.

could you please advise
Trusted to Untrusted traffic has NAT applied by default (and that can't be changed). You do not need Source Translation of the policy hence, it might even interfere.

The most reliable way is to use a dedicated public IP address (MIP) for PPTP and GRE traffic - if you can't do that, because you only have a single public IP, port forwarding via a VIP definition can help (for port 1723 = PPTP and protocol 47 = GRE). A VIP is defined in the Untrust interface settings.

You can also try if switching on/off PPTP ALG works after rebooting SSG.
how i can use the MIP?should i used it as destination nat translation "i mean in the same rule from inside to outside in the advanced tab use the destination translation instead of source translation"
i created MIP on the outside interface and in the advanced tab in the inside to untrust rule didn't check any box and it doesn't work too
We will need exact data to further try to help you. Remember, we cannot see what you have done.

For example:
Your Untrust interface has IP, and you have - for your own purposes (that is a block of 8 IPs, minus 1 for the ISP router, one for network, one for broadcast => 5 IPs available).
You defined a MIP of on the Untrust interface.
You created policies in both directions of Trust to Untrust for the MIP to/from any, without service restrictions (for starters).
You set up session logging on that policies.
That policies are topmost in both Trust to Untrust and Untrust to Trust.

Having done that, all traffic from your specific private IP should get logged, and you can be certain the policy and MIP setting are used.
that is the rule as i created from trust to untust and i used MIP
shareef yassin      Any      CUSTOM PPTP,DNS,GRE,HTTP,HTTPS,PPTP
testpptp      [Index: 2 Permit application service: IGNORE Logging Enabled Logging At Start Enabled]
Do you see anything logged in that policy?
yes as bellow :
2013-05-30 10:58:44      dtsrealip::1723      myrealip:1283      81.x.x.221:1723      PPTP      33 sec.      668      630      Close - TCP FIN

2013-05-30 10:58:13      dtsrealip::2048      myrealip:2048      81.x.x.221:2048      GRE      0 sec.      0      0      Creation
2013-05-30 10:58:11      dtsrealip:1723       myrealip:1283      81.x.x.221:1723      PPTP      0 sec.      0      0      Creation
I understand is your PC's IP, which gets translated to myrealip. But is dtsrealip = 81.x.x.221? (I have removed parts of the public IP of your post for privacy reasons).