12-12-2010 09:44 AM
I have juniper SSG320M firewall and ISA server 2006. What i am trying to do is get a VPN connection to my ISA firewall. I open PPTP 1723 port and GRE exactly the way knowledgebase kb.juniper.net/InfoCenter/index?page=content&id=KB5471
From the command line interface (CLI):
set vip multi-port [Enter]
The multi-port command will match the first port it sees in the custom service.
Next, define a custom service for PPTP and apply this service in the VIP. From the CLI:
set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10 [Enter]
Finally, create an incoming policy with destination address as the VIP using the custom service object. From the CLI:
set policy from untrust to trust "any" "any" "CustomPPTP" permit [Enter]
and also I enabled alg pptp.
set alg pptp enable
now i can do connection by VPN to ISA 2006 from the intranet but when i try to connect from outsideworld connection reset by juniper.
Juniper policy logs:
source add: 220.127.116.11:0 dest address:18.104.22.168:25630 22.214.171.124:16443 10.2.7.8:25630 GRE 42sec. 750 0 Close - AGE OUT
126.96.36.199:5335 188.8.131.52:1723 184.108.40.206:5335 10.2.7.8:1723 PPTP 40 sec. 1070 916 Close - TCP FIN
(I changed the ip address. The addresses are not real.)
interface "220.127.116.11" zone "Untrust"
interface "10.2.0.0" zone "Trust"
and the interfaces both inside and outside are set as “route”.
SSG320M-> get session dst-port 1723
alloc 569/max 64064, alloc failed 0, mcast alloc 52, di alloc failed 0 total reserved 0, free sessions in shared pool 63495 Total 1 sessions according filtering criteria.
id 63214/s**,vsys 0,flag 0c000000/0000/0001,policy 25,time 178, dip 0 module 0 if 10(nspflag 801801): 18.104.22.168/4919>22.214.171.124/1723,6,00270dfe1a00,ses0
if 0(nspflag 801800): 126.96.36.199/4919<-10.2.7.8/1723,6,0016357ffc83,sess to0 Total 1 sessions shown
On the client side “ Verifying username and password..” the client gets this massege and the connection closed.
Can anyone help me to resoleve this problem. I search the knowledgebase but i couldnt find any solution.
12-17-2010 12:02 AM
This is really a hard question. I do not know if someone has sucseeded in configuring this with VIP. Please follow the thread http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Failed-to-get-PPTP-over-SSG5/m-p/66192#M1678...
Unfortunately I have not received a feedback if it worked. If you have a free public IP use MIP or policy based NAT for PPTP.