ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

VPN connection to ISA Server behind Juniper Firewall

12.12.10   |  
‎12-12-2010 09:44 AM


I have juniper SSG320M firewall and ISA server 2006. What i am trying to do is get a VPN connection to my ISA firewall.  I open PPTP 1723 port and GRE exactly the way knowledgebase

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "any" "CustomPPTP" permit [Enter]
save [Enter]


and also I enabled alg pptp.

set alg pptp enable

now i can do connection by VPN to ISA 2006 from the intranet but when i try to connect from outsideworld  connection reset by juniper.

Juniper policy logs:

source add:   dest address:  GRE   42sec. 750  0  Close - AGE OUT  PPTP  40 sec.  1070  916  Close - TCP FIN


(I changed the ip address. The addresses are not real.)

interface "" zone "Untrust"
interface "" zone "Trust"

and the interfaces both inside and outside are set as “route”.


SSG320M-> get session dst-port 1723

alloc 569/max 64064, alloc failed 0, mcast alloc 52, di alloc failed 0 total reserved 0, free sessions in shared pool 63495 Total 1 sessions according filtering criteria.

id 63214/s**,vsys 0,flag 0c000000/0000/0001,policy 25,time 178, dip 0 module 0  if 10(nspflag 801801):>,6,00270dfe1a00,ses0

 if 0(nspflag 801800):<-,6,0016357ffc83,sess to0 Total 1 sessions shown


On the client side “ Verifying username and password..”  the client gets this massege and the connection closed.

Can anyone help me to resoleve this problem. I search the knowledgebase but i couldnt find any solution.

Thank you.

ScreenOS Firewalls (NOT SRX)

Re: VPN connection to ISA Server behind Juniper Firewall

12.15.10   |  
‎12-15-2010 06:03 AM

Is it really hard question?  Smiley Sad Nobody answers Smiley Sad


ScreenOS Firewalls (NOT SRX)

Re: VPN connection to ISA Server behind Juniper Firewall

12.17.10   |  
‎12-17-2010 12:02 AM



This is really a hard question. I do not know if someone has sucseeded in configuring this with VIP. Please follow the thread

Unfortunately I have not received a feedback if it worked. If you have a free public IP use MIP or policy based NAT for PPTP.

Kind regards,