Skip navigation
Menu
Security

NT Gatekeeper: Configure a Firewall to Allow PPTP Traffic

I want to set up a PPTP-based VPN for my company's roaming and small office/home office (SOHO) users. The audit and security department agreed that the PPTP tunnels should terminate on a Windows NT 4.0 RAS server on the company's internal network and that the PPTP traffic should bypass the corporate firewall's security policy. How do I configure my firewall to allow PPTP traffic?

The sidebar "Introduction to PPTP," page 12, provides a short explanation of PPTP and its uses. To let PPTP work across a firewall, you must configure the firewall to allow PPTP control-channel and data-channel packets. The PPTP control channel is the initial channel that you set up between a PPTP client and a PPTP server. The PPTP client and server use this control channel to negotiate tunnel parameters, such as the encryption method and the compression algorithm. The PPTP control channel also establishes, manages, and releases the PPTP data channel. You can think of the data channel as the real PPTP tunnel. The system uses TCP (i.e., port 1723) to send the PPTP control channel packets. On the data channel, PPTP uses a protocol called Generic Routing Encapsulation (GRE—IP protocol number 47) to securely encapsulate the Point-to-Point Protocol (PPP) packets in an IP packet.

Here's an example of how you would configure a Cisco Systems Secure PIX Firewall to allow PPTP traffic. On the PIX Firewall, carry out the following Conduit commands from the Cisco PIX command-line interface:

conduit permit tcp host
  PPTPServerIPAddress
  eq 1723
  ExternalNetworkIPAddress
  ExternalNetworkIPSubnetMask
  
conduit permit gre host
  PPTPServerIPAddress
  ExternalNetworkIPAddress
  ExternalNetworkIPSubnetMask

where PPTPServerIPAddress designates the internal PPTP server's global (i.e., visible from the outside) IP address and ExternalNetworkIPAddress and ExternalNetworkIPSubnetMask designate the IP address range of the clients initiating the PPTP connection. Eq 1723 permits TCP traffic on port 1723. A PIX Firewall blocks all traffic unless you use a Conduit command to permit the traffic. The preceding Conduit commands let the PPTP control packet (first command) and data-channel packet (second command) pass through the PIX Firewall.

For example, to let a roaming user set up a PPTP tunnel from a laptop that has an IP address in the range 192.168.1.0 to 255.255.255.0 to the internal PPTP server that has a global IP address of 192.168.1.7, you would carry out these Conduit commands on the PIX firewall:

conduit permit tcp host
  192.168.1.7 eq 1723
  192.168.1.0 255.255.255.0
  
conduit permit gre host
192.168.1.7
192.168.1.0 255.255.255.0
TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Introduction to PPTP
Jul 01, 2001
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024