CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Services
Reload this Page PPTP Communication
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-14
roadrunner roadrunner is offline
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 3
roadrunner has an average reputation (10+)
Default PPTP Communication
PPTP Communication
You must add a rule permitting access between your PPTP clients and server. PPTP uses two services:


TCP port 1723 for a control session
A variation of the GRE protocol (IP Protocol 47) for data.
To create this last service, create the service as a service of type Other. For the name, use PPTP-Data. In the match field, put: ip_p = 47, [22:2,b] = 0x880B. In NG, set the Protocol number to 47 and use [22:2,b] = 0x008B in the match field.

(Note: ip_p = 47 identifies the IP protocol type as GRE. [22:2,b] = 0x880B identifies the payload protocol as PPTP.)

The rules look like this:

Source Destination Service Action
PPTP-Clients PPTP-Server PPTP-Control PPTP-Data Accept
PPTP-Server PPTP-Clients PPTP-Control PPTP-Data Accept


PPTP will work with Static NAT, but not HIDE NAT.

Somenoe (ccna55ATyahooDOTcom) posted on the 1st of April 2003 the following :

This is how i did it and it worked well i have investigated this issue for some 16 hours and i finally got it to work...

PPTP on Checkpoint 4.1 sp4

Do the following to configure the service for Microsoft's PPTP ( Point To Point Tunneling Protocol ) and use this service in the rulebase:


Define New service type OTHER A. The name is GRE B. In the match tab put the following ip_p=47 C. The prologue section should be empty.
Define another new service type TCP A. The name is GRE_Setup B. Select port number 1723
Define a group of services PPTP - the group includes the GRE service and the GRE-Setup services
This is where it differs a bit.... Rules

Add rule closer to top of rules

Normal Natted machine(Internal address natted to External address) -> Any -> PPTP -> Accept

You need to add the following rule before the cleanup rule:

Valid_address_of_PPTP_server(General Tab External address only) -> Any -> PPTP -> Accept

Note that, using NAT, you can't just use your normal PPTP server object in this rule. You need to make a new object (without anything on the NAT tab) that represents the public (NAT-ed) IP address of your PPTP server and use it in this rule.

-- GuyR - 18 Jan 2004


FAQForm
FAQs.Class: ServicesFAQs
FAQs.OS:
FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 14:12.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0