07-17-2017 08:42 PM
Hello,
An internal host is attempting to establish PPTP tunnel connection with an outside Internet host. The internal host accesses the Internet over NAT (actually PAT) on firewall's outside IP address. There was no issue with PPTP (TCP 1723) connection, but GRE (IP 47) packets from the remote host could not reach the internal host. Packet capture on the firewall shows GRE packets got dropped on "drop" stage, and cannot be seen on "transmit" or "firewall" stage captures.
On some firewalls there is a feature known as PPTP inspection, where the PPTP traffic will be inspected by the firewall, and based on the PPTP session info, incoming GRE traffic will be NATed and forwarded to the correct internal host. May I know if such feature is available on PAN firewall (software 6.1.6), or is there actually alternate configuration to achieve the same result?
Thanks in advance.
07-18-2017 05:40 PM - edited 07-18-2017 05:41 PM
Thank you for the confirmation. Closing the loop by mentioning that we set up 1-to-1 NAT and that solved the issue.
07-17-2017 08:48 PM
Hi,
I have tested this on 7.1 and 8.0. It works. Not exactly sure since then is this supported but in these versions firewall will open predict session for GRE traffic.
Best Regards
07-18-2017 05:40 PM - edited 07-18-2017 05:41 PM
Thank you for the confirmation. Closing the loop by mentioning that we set up 1-to-1 NAT and that solved the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
