PPTP VPN through NAT questions

[PHead2]

I'm pretty new to VPNs, I have a few questions about how PPTP VPNs acts with NAT and what needs to be configured in the following scenario.

I'd like my VPN server to be behind my firewall. This server would use NAT to access the internet (I can redirect traffic from a public IP to my private IP, I can also create an address transform).

What if any protocols do I need to pass to the server besides 1723 (PPTP)?

Will this work if I use NAT or will the NAT cause a problem?

What if my clients are also behind a NAT firewall?


Thanks!

 

[MattWray]

It will work thru NAT. What type of router/firewall will you be using? Check out the manufacturers site. Most of them have FAQ's about VPNs and port forwarding.
Once connected, you will be tunneled all the way to your VPN server. So the NAT will not have a role, as you will be "inside" it....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[PHead2]

I couldn't find any specific documentation from my manufacturer, but I do know how to setup port forwarding. The thing I'm not clear on is what ports I need to forward and what their parameters are. I know PPTP uses TCP port 1723 and GRE is IP Protocol 47, both of which I need to forward.

For my firewall I need to know what the source ports are as well - does client request from 1723 or does it use a dynamic range and if it does what is the source port range?

 

[MattWray]

It can vary...
For a Netopia router, you forward TCP source and destination port 1723. Then PPTP source and destination port 0.
For Efficient Networks you need only forward port 1723 to the VPN IP.
What kind of router do you have?

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[PHead2]

We have a symantec gateway security appliance which acts as our router and firewall. I can forward traffic to any public IP provided by our ISP to an internal address inside the firewall and also send it to a different port. It's really picky about how protocols are set up, so I like to know exactly what is necessary before trying to get something setup.

I'm still not clear on what the source port range should be PPTP. For example, with http I know that source port can be anything from 1024 to 65535 and I wasn't sure if it is the same for PPTP or if traffic always orginates from a particular port.

 

[MattWray]

Well, try forwarding PPTP and GRE. Both over port 1723, and it always rides over the same port.
This link is for Symantec Enterprise Firewall, but maybe it can give you some clues..

http://service1.symantec.com/SUPPOR...ew=pfdocs&dtype=corp&prod=&ver=&osv=&osv_lvl=

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[PHead2]

Thanks, I was having a problem forwarding GRE which that article explains, I should be able to get this working now.

 

[MattWray]

Let us know if it works!
Good Luck!

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[PHead2]

Ok, I can now connect to the VPN server from outside the LAN but I cannot do anything on the LAN once connected. Are there any rules I need to configure on the VPN server?

Thanks!

 

[MattWray]

Is the VPN server giving you an IP on your network? You may have trouble with names over the VPN, try IPs and see if you can access shares...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[PHead2]

I can't access anything - the VPN server is giving me an IP on the network and is passing the DNS servers as well. Is it a problem if the client's LAN address is on the network (192.168.1.0) as the network it is trying to connect to (the VPN)?.

The VPN server shows the connection, I just can't access any network resources...

 

[MattWray]

Yes that is your problem. They must have 2 different networks. Network A 192.168.1.x connects to Network B 192.168.2.x. Otherwise it causes all sorts of routing issues and will not work. Change one of the Networks address range and it should be fixed....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com