MS PPTP over NAT madness

elvis · 15th March 2002, 11:10 AM

here's the skinny:

i've got a MS RRAS box sitting behind a firewall and the firewall behind a router.

it goes:

internet -> wan_ip:router

ublic_ip2 -> public_ip1:firewall

rivate_ip1 -> private_ip2:RRAS

the firewall hosts 3 public IPs, one of which is NATed/forwarded to the RRAS box.

the firewall is opened up correctly for port 1723 access and GRE access, and everything is NATed correctly. PPTP over private LAN works, and the RRAS logs show that the external requests are getting in fine.

the external clients connecting over the web get timeout issues, which i think is a routing problem on the RRAS box. i have set up an IP tunnel interface with just about every configuration i can think of, but it still doesnt want to work.

can anyone offer me any advice?

hast · 15th March 2002, 3:45 PM

what OS is the firewall?

elvis · 15th March 2002, 3:57 PM

it's a nokia ip330 hardware firewall

hast · 15th March 2002, 4:34 PM

i think a lot more than the source and destination address need to be rewritten for pptp to work behind NAT
look at the linux vpn masquerade howto's

also pptp has its own protocol number.. and u need to let these packets through the firewall

elvis · 15th March 2002, 7:02 PM

protocol 0 type 47 "gre" is what you are talking about, and is allowed through the NAT.

the PPTP logs report that the authenticated user is indeed making it through the nat to the PPTP server, but it's not making back out.

there are "routing interfaces" that you can configure in microsoft RRAS, which is what i am trying to get some help on. i'm not sure if i need to configure several virtual interfaces, or one big one to get me through the NAT and out onto the web.

elvis · 18th March 2002, 9:37 AM

^bump^

stapla · 23rd March 2002, 12:36 PM

Set a rule to allow all access to 1 ip (vpn client). Log traffic and then tighten rules according to traffic.

Also pptp vpn client can't be running behind NAT. They must have direct internet ip, not NAT/proxy.

hast · 23rd March 2002, 1:11 PM

Quote:

Also pptp vpn client can't be running behind NAT. They must have direct internet ip, not NAT/proxy.

they can, you just need a decent nat device..

stapla · 23rd March 2002, 1:51 PM

Quote:

Originally posted by hast

they can, you just need a decent nat device..

Yeah that sounds right. What device do you use for NAT translations.

I have read a technet article that said NAT doesn't properly support outgoing VPN calls with our setup.

In our case you needed VPN clients to have internet ip.

Stapla

hast · 23rd March 2002, 2:51 PM

i dont actually have any experience with pptp and nat
but i know there is a linux iptables helper module to facilitate pptp through nat, im not sure if its a complete solution yet.. but its getting there

elvis · 23rd March 2002, 4:25 PM

as it so happens, i got the complete shits with the nokia firewall and bypassed it all together. i got sick and tired of being yelled at by my bosses for trying to fix substandard equipment they had chosen.

after all of that i routed around the nokia to an IPCop box and then through it to the RRAS server. works bloody fantastically without a hitch, and is damn fast too.

"hardware" firewalls can kiss my arse.

15th March 2002, 11:10 AM	#1
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,896	MS PPTP over NAT madness here's the skinny: i've got a MS RRAS box sitting behind a firewall and the firewall behind a router. it goes: internet -> wan_ip:routerublic_ip2 -> public_ip1:firewallrivate_ip1 -> private_ip2:RRAS the firewall hosts 3 public IPs, one of which is NATed/forwarded to the RRAS box. the firewall is opened up correctly for port 1723 access and GRE access, and everything is NATed correctly. PPTP over private LAN works, and the RRAS logs show that the external requests are getting in fine. the external clients connecting over the web get timeout issues, which i think is a routing problem on the RRAS box. i have set up an IP tunnel interface with just about every configuration i can think of, but it still doesnt want to work. can anyone offer me any advice? __________________ Child's Play Charity

15th March 2002, 3:57 PM	#3
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,896	it's a nokia ip330 hardware firewall __________________ Child's Play Charity

15th March 2002, 7:02 PM	#5
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,896	protocol 0 type 47 "gre" is what you are talking about, and is allowed through the NAT. the PPTP logs report that the authenticated user is indeed making it through the nat to the PPTP server, but it's not making back out. there are "routing interfaces" that you can configure in microsoft RRAS, which is what i am trying to get some help on. i'm not sure if i need to configure several virtual interfaces, or one big one to get me through the NAT and out onto the web. __________________ Child's Play Charity

18th March 2002, 9:37 AM	#6
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,896	^bump^ __________________ Child's Play Charity

23rd March 2002, 4:25 PM	#11
elvis Member Join Date: Jun 2001 Location: Brisbane Posts: 19,896	as it so happens, i got the complete shits with the nokia firewall and bypassed it all together. i got sick and tired of being yelled at by my bosses for trying to fix substandard equipment they had chosen. after all of that i routed around the nokia to an IPCop box and then through it to the RRAS server. works bloody fantastically without a hitch, and is damn fast too. "hardware" firewalls can kiss my arse. __________________ Child's Play Charity

15th March 2002, 3:45 PM	#2
hast (Banned or Deleted) Join Date: Sep 2001 Location: dots in the location field break it. note Posts: 2,034	what OS is the firewall?

15th March 2002, 4:34 PM	#4
hast (Banned or Deleted) Join Date: Sep 2001 Location: dots in the location field break it. note Posts: 2,034	i think a lot more than the source and destination address need to be rewritten for pptp to work behind NAT look at the linux vpn masquerade howto's also pptp has its own protocol number.. and u need to let these packets through the firewall

23rd March 2002, 12:36 PM	#7
stapla Member Join Date: Aug 2001 Posts: 108	Set a rule to allow all access to 1 ip (vpn client). Log traffic and then tighten rules according to traffic. Also pptp vpn client can't be running behind NAT. They must have direct internet ip, not NAT/proxy.

23rd March 2002, 2:51 PM	#10
hast (Banned or Deleted) Join Date: Sep 2001 Location: dots in the location field break it. note Posts: 2,034	i dont actually have any experience with pptp and nat but i know there is a linux iptables helper module to facilitate pptp through nat, im not sure if its a complete solution yet.. but its getting there