Allow PPTP traffic inbound through a Juniper Firewall in NAT mode with only 1 publicly available IP address

 


SUMMARY:

Allow PPTP traffic inbound through a Juniper Firewall in NAT mode with only 1 publicly available IP address. This method can be applied to the general issue of port forwarding by substituting the protocols (e.g. PPTP to HTTP)

PROBLEM OR GOAL:

Environment:
  • VIP same as untrust
  • Only have 1 publicly available IP address
  • VIP defined with PPTP service
Symptoms & Errors:
  • Cannot define VIP same as untrust if using PPTP as service

SOLUTION:

Note: This article applies to ScreenOS 5.0 and higher.To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to.  Without this command, a VIP service can only listen to one port.  Note that setting VIP multi-port will require a reboot.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10 [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
save [Enter]

In this example, the PPTP server was assumed to be on the trust side of the Firewall, at IP address 10.1.1.10. Note that for Microsoft Windows, the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048. The source port for TCP 1723 must be 0-65535 to allow for any source port.

To allow multiple outgoing PPTP client connections through a firewall using a DIP pool, follow article: KB5303 – Multiple PPTP clients cannot connect outgoing when using DIP with port-translation.

Categorie: Networking

0 commenti

Lascia un commento