The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: PPTP

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


PPTP Communication

You must add a rule permitting access between your PPTP clients and server. PPTP uses two services:

  • TCP port 1723 for a control session
  • A variation of the GRE protocol (IP Protocol 47) for data.

To create this last service, create the service as a service of type Other. For the name, use PPTP-Data. In the match field, put: ip_p = 47, [22:2,b] = 0x880B. In NG, set the Protocol number to 47 and use [22:2,b] = 0x008B in the match field.

(Note: ip_p = 47 identifies the IP protocol type as GRE. [22:2,b] = 0x880B identifies the payload protocol as PPTP.)

The rules look like this:

Source Destination Service Action
PPTP-Clients PPTP-Server PPTP-Control
PPTP-Data
Accept
PPTP-Server PPTP-Clients PPTP-Control
PPTP-Data
Accept

PPTP will work with Static NAT, but not HIDE NAT.

Somenoe (ccna55ATyahooDOTcom) posted on the 1st of April 2003 the following :

This is how i did it and it worked well i have investigated this issue for some 16 hours and i finally got it to work...

PPTP on Checkpoint 4.1 sp4

Do the following to configure the service for Microsoft's PPTP ( Point To Point Tunneling Protocol ) and use this service in the rulebase:

  1. Define New service type OTHER A. The name is GRE B. In the match tab put the following ip_p=47 C. The prologue section should be empty.
  2. Define another new service type TCP A. The name is GRE_Setup B. Select port number 1723
  3. Define a group of services PPTP - the group includes the GRE service and the GRE-Setup services This is where it differs a bit.... Rules

Add rule closer to top of rules

Normal Natted machine(Internal address natted to External address) -> Any -> PPTP -> Accept

You need to add the following rule before the cleanup rule:

Valid_address_of_PPTP_server(General Tab External address only) -> Any -> PPTP -> Accept

Note that, using NAT, you can't just use your normal PPTP server object in this rule. You need to make a new object (without anything on the NAT tab) that represents the public (NAT-ed) IP address of your PPTP server and use it in this rule.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.