This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN problem with pptp and gre

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN problem with pptp and gre

systemadmin_tu
Not applicable

‎09-02-2011 09:22 PM

Dear all,

   I use PAN500 replace linksys firewall. I have the problem with our client that use VPN client to dialup to internet VPN server device such as router. Our diagram looklike this.

Client(window XP, with MS VPN client)  --> PAN500 --> VPN server(router)

  I try to watch monitoring traffic. I found unusual traffic with detail : From port = 0 , NAT Source Port = 0 , To Port = 0, NAT Destination Port = 0 , Application = gre

  With my old firewall It is ok for this case.

Please help me.

Thanks

TU

0 Likes Likes
11 REPLIES 11

Retired Member
Not applicable

‎09-03-2011 10:24 PM

PPTP uses TCP port 1723 to setup the tunnel and GRE for the actual tunnel traffic. The TCP side is rather straightforward. But GRE is not TCP nor UDP. It is in fact IP protocol 47 (TCP is IP protocol 6 and UDP is IP protocol 17). There is no ports for GRE. That is why you see zero for source/destination ports.

To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. 

-Richard

systemadmin_tu
Not applicable
In response to Retired Member

‎09-08-2011 01:15 AM

Hi Rechard,

   Sorry for delay reply. These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

  The result after commit. I noticed that sometime client can connect pptp but sometime cann't. Any missing on this configuration.

Thanks you,

TU

0 Likes Likes

Retired Member
Not applicable
In response to systemadmin_tu

‎09-10-2011 10:42 AM

Your NAT rule is not a static NAT. Static NAT would be a 1-to-1 mapping of a public to a private IP without port translation. You have dynamic-ip-and-port which is many-to-1 with port translation. The problem I can foresee is that only one source IP may ever be able to use this NAT rule because there are no ports to translate for GRE. That may be why it sometimes works and sometimes not. You should configure 1-to-1 static NAT if you require multiple users to use PPTP with NAT.

-Richard

0 Likes Likes

systemadmin_tu
Not applicable
In response to Retired Member

‎09-11-2011 08:25 AM

The NAT rule that I refered, I use this rule to NAT our client to Internet via public IP of internet internet. So I'm not sure that if I change this configure It will effect to client's internet traffic. Let's me show you the NAT rule that should be as follow

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = static IP , translated address = y.y.y.y(IP of Outside interface) , Bi-direction = yes , Dest. translation = none.

   Please correct this NAT rule. Any change please comment to me. For this NAT rule, It have any limitation for NAT traffic?

Thanks you

TU

0 Likes Likes

systemadmin_tu
Not applicable
In response to systemadmin_tu

‎09-13-2011 06:53 AM

Hi,

   For above rule, I cann't finish the commit. It told me with this error

"device: nat rule 'NAT_rule': Mismatch static-ip address range between original address and translated addressFailed to parse nat policyCommit failed"

   Could you please help me.

Thanks you

TU

0 Likes Likes

mrajdev
L4 Transporter
In response to systemadmin_tu

‎09-13-2011 07:25 AM

TU,

You cannot use a subnet /24 to translate to one static IP. You will have to use a /32 address to translate to one static IP. That is why you are seeing that error.

Hope this helps.

Thanks

0 Likes Likes

systemadmin_tu
Not applicable
In response to mrajdev

‎09-13-2011 07:56 AM

Hi marjdev,

   Thank for you reply.

    For my case, If my clients,more than 1 client, on LAN (192.168.0.0/24) to connect internet VPN server with PPTP connection at the same time. Because different client has different logon/password and they want to conect at the sametime.

------

(again)These are policy on my PAN box.

NAT:

1. source zone= Inside(LAN), destination zone= Outside(internet) , source address = 192.168.x.0/24(IP of LAN subnet) , dest. address= any, service =any, source translation = dynamic-ip-and-port , translated address = y.y.y.y(IP of Outside interface) , Dest. translation = none.

Security:

1. source zone = outside , source address = public IP of VPN (pptp) servers, source user = any, dest. zone = outside , dest. address = y.y.y.y(IP of Outside interface), application = any, service = any , action = allow

2. source zone = inside, source address = 192.168.x.0/24(IP of LAN subnet), source user = any, dest. zone = outside , dest. address = any, application = any, service = any , action = allow

-------

Source method is "dynamic-ip-and-port". Is it ok for my case? As I maintained sometime client can connect, someteim client cann't connect.

Please help me. Because my customer want to use this VPN.

Thanks you

TU

0 Likes Likes

pkruse
L4 Transporter
In response to systemadmin_tu

‎09-13-2011 12:19 PM

The side with the non-static will need to be the initiator for your dynamic environment. This would explain the intermittent success.

santonic
L6 Presenter
In response to Retired Member

‎11-21-2013 06:25 AM

Quote:"To allow such traffic you will need to allow applications 'pptp' and 'gre'. If you have NAT inbetween, then you will need to use static NAT to your PPTP server since there is no port to translate for GRE traffic. "

To resurrect old thread; has this issue been resolved in newer PAN-OS releases or is static NAT still required for outgoing GRE connections? As far as I know you can track some parameters in GRE packet to send it to the correct host and in this way GRE should be possible with dynamic NAT as well. Can someone please confirm this?

mvidic
L0 Member
In response to santonic

‎09-11-2017 05:53 AM

Hi @santonic, it seems that this remains an issue:)

0 Likes Likes

santonic
L6 Presenter
In response to mvidic

‎09-12-2017 04:45 AM

Hey @mvidic maybe we should start a feature request?:)

0 Likes Likes
  • 10497 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks