This is a characteristic of PPTP. It is all to do with session id's. TO get around it, use UDP encapsulation with Secureremote/client and terminate a VPN on your Fw1 box (from your clients at site) then run PPTP through it (if you need to).
You will never get more than 1 person to work with PPTP through NAT, unless you NAT separate source addresses for each person at the client end. The following I swiped for a google search, which explain s it better: > However, IIRC, there is an issue with PPTP servers. They actually > cannot deal with multiple connections from the same IP. It is not a > GRE issue; they don't handle multiple incoming TCP connections on port > 1723 from the same source IP. Again, IIRC. Yes, I'm vague on this too, but I believe the limitation is that any given machine pair can only have one control channel. The pptp nat module uses this control channel id to distinguish pptp sessions, and therefore can't handle more than one pptp between a given machine pair. I don't think this limitation is too bad in real life though. Symon -----Original Message----- From: Simon Spurrell, T-GR [mailto:[EMAIL PROTECTED]] Sent: 01 October 2002 09:26 To: [EMAIL PROTECTED] Subject: [FW-1] Microsoft PPTP across address translation router I have the following situation: A Remote Office with 1 to 4 users want to connect with laptop via PPTP Remote Access VPN to a Microsoft PPTP VPN server. Remote office have an Office Grade ADSL router with address translation. One dynamically assigned IP Address for the ADSL router. In the main office we have a checkpoint firewall with a DMZ. The Microsoft VPN server has one network card in the DMZ and one network card on the LAN. We use the IP Address of the DMZ network card for the VPN tunnel configuration on the clients. The problem is only one (sometimes two) clients from the remote office are able to connect to the Microsoft VPN server. If more than this try to connect, one clients VPN tunnel is dropped. I think it is a problem with the ADSL address translation router. Has anyone had this problem before? When I called the ADSL company they said, "this is the case because the ADSL router only has one internet routable IP Address". The ADSL ISP are able to give me one fixed IP on request. They might be able to replace the router. They are not able to give me a subnet of real IP's. Could anyone advise. Thanks. Simon ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
