Solaris Administration

Tech. Bulletin

How to add access to a PPTP server to Firewall-1 3.X and Solaris 2.X

 

Trevor Paquette

Senior Unix Network Architect

MetroNet Communications

 

Table of Contents

 

Introduction *

What is this document about? *

OVERVIEW *

1.0 Define the PPTP service objects *

2.0 Define the PPTP server object *

3.0 Add FW-1 Rules *

4.0 Save and recompile the firewall rules *

 

Introduction

What is this document about?

This document describes how to setup CheckPoint Firewall-1 3.X (on Solaris 2.X) to support access to a PPTP server.

This document does NOT show how to setup NAT. Please see document entitled "How to add Network Address Translation to Firewall-1 3.X and Solaris 2.X" for information on how to set up NAT.

OVERVIEW

Now that you have decided that you would like to provide access to a PPTP server, you’ll have to perform the following functions:
    1. Define the PPTP service objects
    2. Define the PPTP server object
    3. Add Firewall-1 rules
    4. Save and recompile the firewall rules.

Each of the stages outlined above must be done one at a time.

Commands to enter will be in boldface italic font, where applicable.

Responses from the system will be in plain italic font, where applicable.

Let’s say that the following diagram is what we want to achieve.

 

 

We want to make the PPTP service at IP address 209.82.18.20 available to the Internet. Following the steps outlined above, we can easily do this in less than 5 minutes. (This assumes that all routing to the external and internal subnets are already in place, and any NAT that is to be done has been installed as well.)
  1. Define the PPTP service objects

    2. The PPTP service requires the definition of two new firewall objects and one new group object. The first object is what I call "gre-setup"; the second object is the actual gre protocol.

    To define the gre-setup object, you’ll need to create a new TCP object. This object will use port 1723. You can see how it is define by the picture below:

     

    The next object is the actual gre protocol object. This will be a new "Other" service that needs to use IP protocol 0x47. Define it as pictured below:

     

     Now create a new group called PPTP and place both the gre-setup and the gre-proto objects in it:

     

    You have now completed defining the objects you’ll need.

     

  2. Define the PPTP server object

    3. From the diagram this is 209.82.18.20. Simply create a new workstation object called pptp.company.com as pictured below:

     

  3. Add FW-1 Rules

    4. This is the part that most people get confused on. We have found that in order to get PPTP to function properly you have to allow the PPTP services to function bi-directionally. Your FW-1 rules should look like this:

    Note: If you are doing NAT for your PPTP server, you should also include the "internal" object for your PPTP server with the pptp.company.com object. If you have used the "How to NAT" document mentioned above, your rules would look like the following:

     

  4. Save and recompile the firewall rules

The last step is to now save and recompile the rules.

Congrats.. You’re done.