Ports required for remote hosts wishing to establish PPTP VPN.

[Guest]

Hello,

I have some users working behind another company's firewall and I'm trying
to figure out what needs to be allowed on their firewall to be able to
establish PPTP VPN connections to my server. I ran analysis on the traffic
and it looks like I'll need port 1723 outgoing AND incoming. Is this correct?

Thanks!

 

[Robert L [MS-MVP]]

this may help. quoted from http://www.ChicagoTech.net
Can't connect to a VPN server on the outside of the PIX

..Symptom: When attempting to connect to a VPN server on the outside of the
PIX it returns error 721, the computer failed to respond.

Resolution: In order to PPTP through a PIX, you must have a one-to-one
mapping from the external IP to an internal IP for type 47 GRE packets and
port 1723. For example, for pptp add this: conduit permit gre host x.x.x.x
any AND conduit permit tcp host x.x.x.x eq 1723. For l2tp over ipsec:
conduit permit esp host x.x.x.x any, conduit permit udp host x.x.x.x eq 1701
any AND conduit permit udp host x.x.x.x eq 500 any.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

 

[Guest]

Your request for NSLOOKUP info got the wheels in my head turning, and I think
I now know what the problem is.

I'm used to my users getting their IP config from DHCP over ethernet, this
includes the domain suffix. Now with dial-up, they have to get it all from
the RAS server or from RADIUS. The problem is, they're not! The domain suffix
is blank. Thus pinging "SERVER-A" gets you nowhere. But if you ping
"SERVER-A.intra.net", BAM!

The question now is, how do I get this info to the dial-up client? Can it be
done strictly through RAS? Can it be done through a RADIUS policy attribute?

What do you think?

Thank you for responding.

 

[Guest]

Let me make sure I understand; I know that 1723 (in and out) and GRE 47 has
to be enabled on my server but you're saying that 1723 (in and out) AND GRE
47 has to be enabled for my VPN server's IP on the remote site's firewall for
my users to be able to connect from that site? Or is it simply 1723 (in and
out) needs to be allowed on their firewall to my VPN server? Do they have to
allow GRE 47 on their firewall to connect to my server?

 

[Bill Grant]

Yes, they have to allow GRE in both directions on their firewall for a
PPTP connection to be made through it.

PPTP just sets up and maintains the tunnel. The actual transfer of the
encrypted data uses a packet with a GRE header. If anything in the path
blocks GRE, no data is transferred and the connection closes.

 

[Robert L [MS-MVP]]

Bill,

Thank you for the input.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

 

[Guest]

Thanks Bill

Yes, they have to allow GRE in both directions on their firewall for a
PPTP connection to be made through it.

PPTP just sets up and maintains the tunnel. The actual transfer of the
encrypted data uses a packet with a GRE header. If anything in the path
blocks GRE, no data is transferred and the connection closes.