Monday, March 2, 2009

Netscreen PPTP NAT Configuration


Allow PPTP traffic inbound through a NetScreen in NAT mode with only 1 publicly available IP address. This method can be applied to the general issue of port forwarding by substituting the protocols (e.g. pptp to http)
· VIP same as untrust
· Only have 1 publicly available IP address
· VIP defined with PPTP service
Symptoms & Errors:
· Cannot define VIP same as untrust if using PPTP as service

To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to. Previously, a VIP service can only listen to one port. This feature is only available on ScreenOS 3.0.1 or higher.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.
Next, define a custom service for PPTP. From the CLI:
set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface untrust vip 2048 CustomPPTP [Enter]
set policy incoming "Outside Any" VIP::1 CustomPPTP Permit [Enter]

In this example, the PPTP server was assumed to be on the trust side of the NetScreen, at IP address

No comments:

Post a Comment

span.fullpost {display:inline;}