Umm, your solution there sounds reasonable. What PPTP server are you using?
If Microsoft, check out technet to see if there's a way to static the port.
A quick search showed me the below, though I don't know how much help it'll
be to you.
Setting Up PPTP Behind a Firewall
PPTP can be set up behind a firewall. The firewall must be configured to
allow port 1723 and protocol 47 (GRE) to pass through. Most users make the
mistake of configuring only port 1723 and not protocol 47. Many older
firewalls do not support protocol 47 and are not compatible.
In this approach, the firewall controls the sources of traffic to the PPTP
server. The firewall filters PPTP packets, using the clear-text headers, and
passes the packets to the PPTP server. The PPTP server then decrypts the
packet and forwards it to the appropriate destination on the private
network. In this configuration, the firewall cannot filter the contents of
the packet, which remains encrypted until it reaches the PPTP server.
In this context, the limited filtering capabilities do not present a
security concern. Users are authenticated during the establishment of the
PPTP connection, and this process prevents unauthorized access.
To allow PPTP packets to pass through the firewall to the PPTP server, the
firewall's Internet interface must be configured with input and output
filters. PPTP traffic uses TCP port 1723, and IP protocol uses ID 47. To
allow PPTP traffic to pass through the firewall, set the following filters
on the firewall.
Input filters
Destination packet filter for port 1723. The packet filter should include
the address of the PPTP server, so that the firewall admits only inbound
traffic addressed to the PPTP server.
Packet filter for IP protocol 47.
Output filters
Source packet filter for port 1723. The packet filter should include the
address of the PPTP server, so that all outbound PPTP traffic must originate
from the PPTP server.
Packet filter for IP protocol 47.
Optionally, you can set a filter that restricts IP protocol 47 traffic to
and from the PPTP server address only. If the number of PPTP clients and
their addresses is fixed, you can add filters that restrict traffic to these
addresses.
A few samples follow. For in-depth instructions for setting up these
filters, see the documentation for your firewall. To permit FTP or Web
traffic to pass through to specific intranet IP addresses, set additional
filters on the firewall.
Port 1723 must be enabled at all routers or firewalls between the PPTP
client and server.
You must configure six filters to allow PPTP tunnels to pass through.
>Input Filter: Source packet filter for port 1723
>Input Filter: Destination packet filter for port 1723
>Input Filter: Packet filter for allowing protocol 47 through
>Output Filter: Source packet filter for port 1723
>Output Filter: Destination packet filter for port 1723
>Output Filter: Packet filter for allowing protocol 47 through
-----Original Message-----
From: Ferraris, Steve, CIV (N2m) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 29, 2000 2:40 PM
To: '[EMAIL PROTECTED]'
Subject: PPTP through Gauntlet Firewall
Has anybody experienced the following and if so, could you provide a
recommended solution.
1. PPTP
Problem: VPN is able to make a connection from outside the firewall (using
port 1723). However, when the VPN server makes its way back to the VPN
client it triggers a security alert. The server is trying to serve the VPN
client using a dynamic port which is not allowed by the firewall.
Solution: There may be a way to statically specify which port the server
can use to connect back to VPN clients.
Steve Ferraris
MITRE/NCTAMSPAC N-2M
808-653-7520 (W)
315-453-7520 (DSN)
808-577-6005 (Pgr)
808-653-1112 (Fax)
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
