Netscreen PPTP NAT Configuration

Synopsis

Allow PPTP traffic inbound through a NetScreen in NAT mode with only 1 publicly available IP address. This method can be applied to the general issue of port forwarding by substituting the protocols (e.g. pptp to http)
Problem
Environment:
· VIP same as untrust
· Only have 1 publicly available IP address
· VIP defined with PPTP service
Symptoms & Errors:
· Cannot define VIP same as untrust if using PPTP as service



Solution
To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to. Previously, a VIP service can only listen to one port. This feature is only available on ScreenOS 3.0.1 or higher.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.
Next, define a custom service for PPTP. From the CLI:
set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface untrust vip 2048 CustomPPTP 10.1.1.10 [Enter]
set policy incoming "Outside Any" VIP::1 CustomPPTP Permit [Enter]

In this example, the PPTP server was assumed to be on the trust side of the NetScreen, at IP address 10.1.1.10