well I can't give up. there must be something more than just letting
TCP1723 and GRE 47 through the fw.
In my fw's log I can see that both 1723TCP and protocol id 47 are permitted
and still the remote users (error 650) can't authenticate to the server
(authentication timeout in the MS PPTP server log).
anybody else have a similar problem. The MS PPTP is just a short
term/temporary solution but I need to get it going.
Thanks
Jean.
> >-----Original Message-----
> >From: Blanco, Juan [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, December 03, 1999 8:52 AM
> >To: 'Jean Morissette'
> >Subject: RE: VPN via 2501 - Firewall-1 - NT
> >
> >
> >To tell you the true I give up....I spoke to Microsoft and Checkpoint and
> >they could not figure-out the problem...At this time I am using vpn from
> >Checkpoint and it works great not problem at all.....Think about this
> >Checkpoint wants you to use their own product...the same thing from
> >Microsoft....Why either company will be interested on fixed any
> >problem when
> >you have a mix environment....
> >
> >-----Original Message-----
> >From: Jean Morissette [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, December 03, 1999 6:52 AM
> >To: 'Blanco, Juan'
> >Subject: RE: VPN via 2501 - Firewall-1 - NT
> >
> >
> >Hi Juan,
> >
> >Did you fix your problem. I do think mine has got anything to
> >do with GRE47
> >I know now that these packets get through. I don't see anything
> >blocked at
> >the firewall???
> >
> >Let me know how you fixed it, if it is fix!
> >Thanks
> >Jean.
> >
> >> >-----Original Message-----
> >> >From: Jean Morissette [mailto:[EMAIL PROTECTED]]
> >> >Sent: Monday, November 22, 1999 7:44 AM
> >> >To: Ben Nagy; 'Blanco, Juan'; '[EMAIL PROTECTED]'
> >> >Cc: [EMAIL PROTECTED]
> >> >Subject: RE: VPN via 2501 - Firewall-1 - NT
> >> >
> >> >
> >> >I installed a w/s between the fw and the upstream router so Juan
> >> >might want to do that.
> >> >
> >> >I try to connect to the PPTP/RRAS server and can see that it is
> >> >blocked at the fw (logging) with this (47) oh wow! it is GRE.
> >> >
> >> >My problem is that I am sure the fw is setup to let protocol id
> >> >47 through. Juan try this and see if fw-1 stops proto id 47, I
> >> >am sure that fw-1 has good logging capabilities.
> >> >
> >> >I sure be able to fix this little problem today and will keep
> >> >you posted! or if you fix it before I do, well drop me a line!
> >> >Jean.
> >> >
> >> >> -----Original Message-----
> >> >> From: [EMAIL PROTECTED]
> >> >> [mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy
> >> >> Sent: Sunday, November 21, 1999 10:48 PM
> >> >> To: 'Blanco, Juan'; '[EMAIL PROTECTED]'
> >> >> Cc: [EMAIL PROTECTED]
> >> >> Subject: RE: VPN via 2501 - Firewall-1 - NT
> >> >>
> >> >>
> >> >> I presume you mean TCP 1723...
> >> >>
> >> >> So, error 650 is remote server not responding - typical of
> >> >cases where GRE
> >> >> isn't getting end to end.
> >> >>
> >> >> Check it with some sort of sniffer, if you can. Check to
> >see if you're
> >> >> getting any GRE behind the router, and then check behind
> >the firewall.
> >> >>
> >> >> Another thing that might be tripping you up - if you're using
> >> >a Cisco box
> >> >> with NAT, you MUST either use real IP addresses or use a STATIC
> >> >> NAT mapping
> >> >> for the firewall, otherwise GRE stuff won't get passed through
> >> >properly.
> >> >> Dynamic NAT is based on TCP sessions - it doesn't grok GRE.
> >> >>
> >> >> There may also be problems along these lines on the FW-1 box - I
> >> >> dunno, I'm
> >> >> not a FW1 guy.
> >> >>
> >> >> Cheers,
> >> >>
> >> >> --
> >> >> Ben Nagy
> >> >> Network Consultant, CPM&S Group of Companies
> >> >> PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> >> >>
> >> >> > -----Original Message-----
> >> >> > From: Blanco, Juan [mailto:[EMAIL PROTECTED]]
> >> >> > Sent: Sunday, 21 November 1999 12:10 AM
> >> >> > To: '[EMAIL PROTECTED]'
> >> >> > Cc: [EMAIL PROTECTED]
> >> >> > Subject: VPN via 2501 - Firewall-1 - NT
> >> >> >
> >> >> >
> >> >> > Folks,
> >> >> >
> >> >> >
> >> >> > I am currently trying to set up a simple dial-up virtual
> >networking
> >> >> > configuration. What Im trying to do is allow a remote
> >users to dial
> >> >> > into their internet service over a standard dial-up phone
> >> >> > line and from
> >> >> > there access the office network. Our server computer is
> >> >> > running Windows NT
> >> >> > 4.0 behind the Firewall-1, The error message that we are
> >> >> > recieving when
> >> >> > trying to do this with the VPN client is error 650:
> >> >> > I have Protocol 47 open at the firewall, and TCP port
> >172. I spoke to
> >> >> > checkpoint and they have no clue.
> >> >> >
> >> >> > Any help will be appreciated.....
> >> >> >
> >> >> >
> >> >> >
> >> >> > Thanks,
> >> >> >
> >> >> >
> >> >> > Tony
> >> >> >
> >> >> > -
> >> >> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >> >> > "unsubscribe firewalls" in the body of the message.]
> >> >> >
> >> >> -
> >> >> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >> >> "unsubscribe firewalls" in the body of the message.]
> >> >>
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
