Do you have anti-spoofing stuff enabled? That might be the problem. Check
your logs.
I had to deal with this a few years ago...It might be different now, but I
doubt it.
We had NAT to an internal PPTP server. I found that the response packets from
this internal PPTP server had a source address which was its external address,
which, of course, the machine shouldn't even see. It seems the target address
of the PPTP server is embedded in the payload of the packet from the client,
and the server sets the source address of its response packets to that address.
So, if you have anti-spoofing enabled, you'll have to change valid addresses
from "this net" to specific, and setup a group that includes your internal
network and this one external address. Or add a rule to allow outgoing
connections from this external source address. Or both...
On Thu, 24 Aug 2000, Miller, Byron wrote:
> Date: Thu, 24 Aug 2000 11:31:59 -0400
> From: "Miller, Byron" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [FW1] More on NAT / PPTP and Firewall 1 NT 4.0
>
>
> Hello everyone.
>
> I have an NT 4.0 box running Firewall-1 4.0. I setup another NT
> 4 box on our internal lan running PPTP with an address of 192.168.1.136
> and created a static external address as well for it. I followed the normal
> NAT setup and created the following rules as well.
>
> Service: GRE, Match ip_p = 47
> Service: PPTP, Port 1723 TCP
>
>
> I set this rule up for internal server to be able to send and receive
> traffic.
>
> I still have no ability to do PPTP from outside the firewall. In the
> log viewer i can see the traffic being allowed, but the client just doesn't
> connect and quits.
>
> I have searched and some people say it can't be done, some people have
> said it works.
>
> I have created a route such as route add 206.126.32.101 192.168.1.136 and
> did an arp as well on the firewall box.
>
> Is there anything i may be missing or is there a service pack level i
> should be at on this box?
>
> I don't see it making much sense in plugging in an NT server on the external
> side of the firewall since that basically adds more gateways into the
> network. Our internet router plugs right into the firewall and then it hits
> our network. I don't have to have to plug in a hub and have a server
> external to the firewall that can still speak to our internal network since
> that would require more work then i want to do and more maintenance.
>
> I would figure FW1 would be capable of doing this since i can do this on my
> 59.00 Winproxy server at home :)
>
> Thanks for any help and ideas.
>
> -byron
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
--
------------------------------------------------------------------
Sid Van den Heede Open Text Corporation
+1 519 888 7111 x2211 185 Columbia Street West
+1 519 888 0677 (fax) Waterloo, Ontario, Canada N2L 5Z5
[EMAIL PROTECTED] OpenPGP key available on www.keyserver.net
Register for LiveLinkUp 2000 today. October 28-31, 2000
http://www.opentext.com/livelinkup
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
