FireWall-1 FAQ: PPTP
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
PPTP Communication
You must add a rule permitting access between your PPTP clients and server. PPTP uses two services:
- TCP port 1723 for a control session
- A variation of the GRE protocol (IP Protocol 47) for data.
To create this last service, create the service as a service of type Other. For the name, use PPTP-Data. In the match field, put: ip_p = 47, [22:2,b] = 0x880B. In NG, set the Protocol number to 47 and use [22:2,b] = 0x008B in the match field.
(Note: ip_p = 47 identifies the IP protocol type as GRE. [22:2,b] = 0x880B identifies the payload protocol as PPTP.)
The rules look like this:
| Source | Destination | Service | Action |
| PPTP-Clients | PPTP-Server | PPTP-Control
PPTP-Data |
Accept |
| PPTP-Server | PPTP-Clients | PPTP-Control
PPTP-Data |
Accept |
PPTP will work with Static NAT, but not HIDE NAT.
Somenoe (ccna55ATyahooDOTcom) posted on the 1st of April 2003 the following :
This is how i did it and it worked well i have investigated this issue for some 16 hours and i finally got it to work…
PPTP on Checkpoint 4.1 sp4
Do the following to configure the service for Microsoft’s PPTP ( Point To Point Tunneling Protocol ) and use this service in the rulebase:
- Define New service type OTHER A. The name is GRE B. In the match tab put the following ip_p=47 C. The prologue section should be empty.
- Define another new service type TCP A. The name is GRE_Setup B. Select port number 1723
- Define a group of services PPTP - the group includes the GRE service and the GRE-Setup services This is where it differs a bit…. Rules
Add rule closer to top of rules
Normal Natted machine(Internal address natted to External address) -> Any -> PPTP -> Accept
You need to add the following rule before the cleanup rule:
Valid_address_of_PPTP_server(General Tab External address only) -> Any -> PPTP -> Accept
Note that, using NAT, you can’t just use your normal PPTP server object in this rule. You need to make a new object (without anything on the NAT tab) that represents the public (NAT-ed) IP address of your PPTP server and use it in this rule.
