VPN problem with pptp and gre

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN problem with pptp and gre

Not applicable

Dear all,

   I use PAN500 replace linksys firewall. I have the problem with our client that use VPN client to dialup to internet VPN server device such as router. Our diagram looklike this.

Client(window XP, with MS VPN client)  --> PAN500 --> VPN server(router)

  I try to watch monitoring traffic. I found unusual traffic with detail : From port = 0 , NAT Source Port = 0 , To Port = 0, NAT Destination Port = 0 , Application = gre

  With my old firewall It is ok for this case.

Please help me.

Thanks

TU

11 REPLIES 11

Retired Member
Not applicable

PPTP uses TCP port 1723 to setup the tunnel and GRE for the actual tunnel traffic. The TCP side is rather straightforward. But GRE is not TCP nor UDP. It is in fact IP protocol 47 (TCP is IP protocol 6 and UDP is IP protocol 17). There is no ports for GRE. That is why you see zero for source/destination ports.

To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. 

-Richard

Hi Rechard,

   Sorry for delay reply. These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

  The result after commit. I noticed that sometime client can connect pptp but sometime cann't. Any missing on this configuration.

Thanks you,

TU

Retired Member
Not applicable

Your NAT rule is not a static NAT. Static NAT would be a 1-to-1 mapping of a public to a private IP without port translation. You have dynamic-ip-and-port which is many-to-1 with port translation. The problem I can foresee is that only one source IP may ever be able to use this NAT rule because there are no ports to translate for GRE. That may be why it sometimes works and sometimes not. You should configure 1-to-1 static NAT if you require multiple users to use PPTP with NAT.

-Richard

The NAT rule that I refered, I use this rule to NAT our client to Internet via public IP of internet internet. So I'm not sure that if I change this configure It will effect to client's internet traffic. Let's me show you the NAT rule that should be as follow

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = static IP , translated address = y.y.y.y(IP of Outside interface) , Bi-direction = yes , Dest. translation = none.

   Please correct this NAT rule. Any change please comment to me. For this NAT rule, It have any limitation for NAT traffic?

Thanks you

TU

Hi,

   For above rule, I cann't finish the commit. It told me with this error

"device: nat rule 'NAT_rule': Mismatch static-ip address range between original address and translated addressFailed to parse nat policyCommit failed"

   Could you please help me.

Thanks you

TU

TU,

You cannot use a subnet /24 to translate to one static IP. You will have to use a /32 address to translate to one static IP. That is why you are seeing that error.

Hope this helps.

Thanks

Hi marjdev,

   Thank for you reply.

    For my case, If my clients,more than 1 client, on LAN (192.168.0.0/24) to connect internet VPN server with PPTP connection at the same time. Because different client has different logon/password and they want to conect at the sametime.

------

(again)These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

-------

Source method is "dynamic-ip-and-port". Is it ok for my case? As I maintained sometime client can connect, someteim client cann't connect.

Please help me. Because my customer want to use this VPN.

Thanks you

TU

The side with the non-static will need to be the initiator for your dynamic environment. This would explain the intermittent success.

Quote:"To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. "

To resurrect old thread; has this issue been resolved in newer PAN-OS releases or is static NAT still required for outgoing GRE connections? As far as I know you can track some parameters in GRE packet to send it to the correct host and in this way GRE should be possible with dynamic NAT as well. Can someone please confirm this?

Hi @santonic, it seems that this remains an issue:)

Hey @mvidic maybe we should start a feature request?:)

  • 10655 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!