RE: PPTP Question

["Webb, Andy" <Andy.Webb () swinc com>]

Yes, you can do PPTP through a firewall that performs NAT.  And the
addresses you allocate can be from the private IP ranges (10.x.x.x,
192.168.x.x, etc.).  The trick question is, can your firewall do:
1) reverse mapping of inbound traffic.  e.g. Inbound traffic on TCP/1723
should be mapped to 192.168.1.3 - our NT server with RRAS and PPTP.
2) passing of GRE traffic. i.e. IP protocol 47 - several firewalls
cannot, some can.

On the remote system, the PPTP destination, then, is the external IP
address of the firewall.

See all other conversations re: the relative security of PPTP.

=======================================================
Andy Webb         awebb () swinc com         www.swinc.com
Simpler-Webb, Inc.       Austin, TX        512-322-0071
              "Mauve has more RAM" - Dilbert
=======================================================


> -----Original Message-----
> From: Ge' Weijers [mailto:ge () progressive-systems com]
> Sent: Thursday, April 16, 1998 11:47 AM
> To: Joseph S. D. Yao
> Cc: Tina Bird; vpn () listserv iegroup com; firewall-wizards () nfr net
> Subject: Re: PPTP Question
>
>
>
> My reasonably educated guess is that PPTP can be sent through 
> a NAT router
> successfully. The control packets don't seem to contain any 
> IP addresses,
> so I don't expect any problems there. As long as the NAT 
> router can figure
> out to which machine the GRE packets should be sent things will work.
>
> The payloads of the GRE packets are PPP frames, and PPP (IPCP) can
> negotiate any IP address for use inside the tunnel, the NAT 
> does not need
> any cleverness to handle this.
>
> An MIT student project actually succeeded in proxying PPTP through a
> Linux-based firewall, see:
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/

Hope this helps,

Ge'


On Tue, 14 Apr 1998, Joseph S. D. Yao wrote:

> > According to the VPN book, the PPTP packet consists of the delivery
> > header, the IP header, a GREv2 header and the payload.  The IP
> > header of course contains the source and destination IP addresses.
> > But if I'm using redirection at the firewall or other NAT device (so
> > the connection is ostensibly made between the PC's address and a
> > particular port or virtual IP address on the external side of the
> > firewall), where is the >internal< IP address being broadcast?
>
> More to the point, is there any way to make the IP addresses in the
> delivery header and the internal IP header [presumably not the
external
> IP header, since you said this is the PPTP packet, which is
> encapsulated in the IP packet] different?  If not, you can't have NAT.
>
> --
> Joe Yao                               jsdy () cospo osis gov - Joseph S.
D. Yao
> COSPO Computer Support
EMT-A/B
>
-----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.

Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400
Columbus, OH 43220           http://www.Progressive-Systems.com