ScreenOS Firewalls (NOT SRX)
Reply
Visitor
aszeynep
Posts: 3
Registered: ‎02-02-2009
0

VPN connection to ISA Server behind Juniper Firewall

Hi,

I have juniper SSG320M firewall and ISA server 2006. What i am trying to do is get a VPN connection to my ISA firewall.  I open PPTP 1723 port and GRE exactly the way knowledgebase  kb.juniper.net/InfoCenter/index?page=content&id=KB5471

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10 [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "any" "CustomPPTP" permit [Enter]
save [Enter]

 

and also I enabled alg pptp.

set alg pptp enable
save   

now i can do connection by VPN to ISA 2006 from the intranet but when i try to connect from outsideworld  connection reset by juniper.

Juniper policy logs:

source add: 65.100.120.4:0   dest address:8.5.5.5:25630   65.100.120.4:16443  10.2.7.8:25630  GRE   42sec. 750  0  Close - AGE OUT

65.100.120.4:5335  8.5.5.5:1723  65.100.120.4:5335  10.2.7.8:1723  PPTP  40 sec.  1070  916  Close - TCP FIN

 

(I changed the ip address. The addresses are not real.)

interface "8.5.5.5" zone "Untrust"
interface "10.2.0.0" zone "Trust"

and the interfaces both inside and outside are set as “route”.



 

SSG320M-> get session dst-port 1723

alloc 569/max 64064, alloc failed 0, mcast alloc 52, di alloc failed 0 total reserved 0, free sessions in shared pool 63495 Total 1 sessions according filtering criteria.

id 63214/s**,vsys 0,flag 0c000000/0000/0001,policy 25,time 178, dip 0 module 0  if 10(nspflag 801801): 65.100.120.4/4919>8.5.5.5/1723,6,00270dfe1a00,ses0

 if 0(nspflag 801800): 65.100.120.4/4919<-10.2.7.8/1723,6,0016357ffc83,sess to0 Total 1 sessions shown

 

On the client side “ Verifying username and password..”  the client gets this massege and the connection closed.

Can anyone help me to resoleve this problem. I search the knowledgebase but i couldnt find any solution.

Thank you.

Visitor
aszeynep
Posts: 3
Registered: ‎02-02-2009
0

Re: VPN connection to ISA Server behind Juniper Firewall

Is it really hard question?  :smileysad: Nobody answers :smileysad:


 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: VPN connection to ISA Server behind Juniper Firewall

Hi,

 

This is really a hard question. I do not know if someone has sucseeded in configuring this with VIP. Please follow the thread http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Failed-to-get-PPTP-over-SSG5/m-p/66192#M1678...

Unfortunately I have not received a feedback if it worked. If you have a free public IP use MIP or policy based NAT for PPTP.

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.