CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 8 of 8

Thread: PPTP issue with R77.30

  1. #1
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default PPTP issue with R77.30

    Hi Team,

    I am kindaa facing strange issue where I have 5600 with R77.30 and PPTP pass through is creating an issue. I mean users behind firewall are connecting to remote PPTP server and LAN at my end is Hide Natted.

    Now the issue I noticed here is one of the client is able to connect while other is not, what could be the reason?

  2. #2
    Join Date
    2006-09-26
    Posts
    3,039
    Rep Power
    15

    Default Re: PPTP issue with R77.30

    Quote Originally Posted by blason View Post
    Hi Team,

    I am kindaa facing strange issue where I have 5600 with R77.30 and PPTP pass through is creating an issue. I mean users behind firewall are connecting to remote PPTP server and LAN at my end is Hide Natted.

    Now the issue I noticed here is one of the client is able to connect while other is not, what could be the reason?
    This is a well "known" issue with checkpoint. This NEVER works until NG with Application Intelligence R55 with HFA 10 or higher.

    For your version R77.30, it will work with just ONE host behind the firewall with hide NAT connecting to an external PPTP server. If you need more than one host from behind the checkpoint gateways to communicate with external PPTP server, static NAT is a "must". I don't think there is any work-around for this, unfortunately

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: PPTP issue with R77.30

    Quote Originally Posted by blason View Post
    Hi Team,

    I am kindaa facing strange issue where I have 5600 with R77.30 and PPTP pass through is creating an issue. I mean users behind firewall are connecting to remote PPTP server and LAN at my end is Hide Natted.

    Now the issue I noticed here is one of the client is able to connect while other is not, what could be the reason?
    Looks like pptp requires some extra steps to work with hidenat. Have you looked at sk60793?

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,084
    Rep Power
    12

    Default Re: PPTP issue with R77.30

    Quote Originally Posted by jflemingeds View Post
    Looks like pptp requires some extra steps to work with hidenat. Have you looked at sk60793?
    Just ran into this exact situation today, PPTP users attempting to connect to the same destination IP address (in our case on the Internet) through the firewall could only connect one at a time. If a second user tries PPTP to the same IP, that user can't get connected or the first one gets punted out (we saw varying behaviors here). To make this work:

    1) IPS must be enabled on the firewall
    2) The signature "Non Compliant PPTP" must be enabled in the IPS profile assigned to the gateway
    3) The Protocol Type for service pptp-tcp (or whatever service is matching TCP 1723 in your policy - watch out for "Match for Any") must be set to PPTP_TCP. Blanking the protocol field of this service by setting it to None will not help, was the first thing I tried.

    The "Non Compliant PPTP" signature just needs to be enabled (even in Detect Mode) to make multiple PPTP sessions work; heck the entire IPS Profile can even be set in Detect-Only Troubleshooting mode and it will still work. Apparently this signature enables some additional inspection logic that allows the firewall to track multiple PPTP connections behind a Hide NAT.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  5. #5
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default Re: PPTP issue with R77.30

    Quote Originally Posted by ShadowPeak.com View Post
    Just ran into this exact situation today, PPTP users attempting to connect to the same destination IP address (in our case on the Internet) through the firewall could only connect one at a time. If a second user tries PPTP to the same IP, that user can't get connected or the first one gets punted out (we saw varying behaviors here). To make this work:

    1) IPS must be enabled on the firewall
    2) The signature "Non Compliant PPTP" must be enabled in the IPS profile assigned to the gateway
    3) The Protocol Type for service pptp-tcp (or whatever service is matching TCP 1723 in your policy - watch out for "Match for Any") must be set to PPTP_TCP. Blanking the protocol field of this service by setting it to None will not help, was the first thing I tried.

    The "Non Compliant PPTP" signature just needs to be enabled (even in Detect Mode) to make multiple PPTP sessions work; heck the entire IPS Profile can even be set in Detect-Only Troubleshooting mode and it will still work. Apparently this signature enables some additional inspection logic that allows the firewall to track multiple PPTP connections behind a Hide NAT.
    Beauty!! Been struggling for the solution since last couple of months. Let me try though the solution that you suggested.

  6. #6
    Join Date
    2012-06-13
    Posts
    302
    Rep Power
    6

    Default Re: PPTP issue with R77.30

    But in this case how is the internal network natted? Is it Hide or static nat?

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: PPTP issue with R77.30

    ok wait a sec, shadow posted what is in the sk i posted.

    Oh the outrage!!!

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,084
    Rep Power
    12

    Default Re: PPTP issue with R77.30

    Quote Originally Posted by blason View Post
    But in this case how is the internal network natted? Is it Hide or static nat?
    Hide NAT.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Similar Threads

  1. NGAi R55 : PPTP/GRe NAT translation
    By gluperini in forum Check Point SecurePlatform (SPLAT)
    Replies: 9
    Last Post: 2007-11-14, 19:05
  2. PPTP and VPN
    By eldo37 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-04-13, 10:56
  3. ISA PPTP VPN behind CP NGX drops every 10 minutes
    By rji479 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-01-02, 23:33
  4. NGX dropping GRE - PPTP broken
    By Markhawks in forum Miscellaneous
    Replies: 5
    Last Post: 2006-12-08, 04:38
  5. PPTP Communication
    By roadrunner in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-14, 12:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •