Yes, you can do PPTP through a firewall that performs NAT. And the addresses you allocate can be from the private IP ranges (10.x.x.x, 192.168.x.x, etc.). The trick question is, can your firewall do: 1) reverse mapping of inbound traffic. e.g. Inbound traffic on TCP/1723 should be mapped to 192.168.1.3 - our NT server with RRAS and PPTP. 2) passing of GRE traffic. i.e. IP protocol 47 - several firewalls cannot, some can. On the remote system, the PPTP destination, then, is the external IP address of the firewall. See all other conversations re: the relative security of PPTP. ======================================================= Andy Webb awebbat_private www.swinc.com Simpler-Webb, Inc. Austin, TX 512-322-0071 "Mauve has more RAM" - Dilbert ======================================================= > -----Original Message----- > From: Ge' Weijers [mailto:ge@progressive-systems.com] > Sent: Thursday, April 16, 1998 11:47 AM > To: Joseph S. D. Yao > Cc: Tina Bird; vpnat_private; firewall-wizardsat_private > Subject: Re: PPTP Question > > > > My reasonably educated guess is that PPTP can be sent through > a NAT router > successfully. The control packets don't seem to contain any > IP addresses, > so I don't expect any problems there. As long as the NAT > router can figure > out to which machine the GRE packets should be sent things will work. > > The payloads of the GRE packets are PPP frames, and PPP (IPCP) can > negotiate any IP address for use inside the tunnel, the NAT > does not need > any cleverness to handle this. > > An MIT student project actually succeeded in proxying PPTP through a > Linux-based firewall, see: > http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/ Hope this helps, Ge' On Tue, 14 Apr 1998, Joseph S. D. Yao wrote: > > According to the VPN book, the PPTP packet consists of the delivery > > header, the IP header, a GREv2 header and the payload. The IP > > header of course contains the source and destination IP addresses. > > But if I'm using redirection at the firewall or other NAT device (so > > the connection is ostensibly made between the PC's address and a > > particular port or virtual IP address on the external side of the > > firewall), where is the >internal< IP address being broadcast? > > More to the point, is there any way to make the IP addresses in the > delivery header and the internal IP header [presumably not the external > IP header, since you said this is the PPTP packet, which is > encapsulated in the IP packet] different? If not, you can't have NAT. > > -- > Joe Yao jsdyat_private - Joseph S. D. Yao > COSPO Computer Support EMT-A/B > ----------------------------------------------------------------------- > This message is not an official statement of COSPO policies. > > Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400 Columbus, OH 43220 http://www.Progressive-Systems.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:03 PDT