PPTP NAT behind SRX

In this post I will try to show how I configured an SRX NAT device to forward PPTP connection.
Please read the entire post without applying any configuration as the first part of this post
does contain some mistakes:)

srx-pptp-nat

As you can see in the topology for this, I have used my SRX device (SRX100 12.1X44-D20.3)
in between an XP VPN client and a RRAS server on Windows2008. I must admit that it
was a pain to install/configure RRAS on 2008 server. After I disabled IPV6, everything
messed up and I had to remove/install interfaces again.

A PPTP connection requires two things;

1) TCP port 1723 for control path
2) GRE for data path

First I configured Static NAT as follows;

First I was trying to manage this without a static nat. Then I noticed that it is impossible because
of GRE. There is no port that I can translate because of which I needed translation at IP level.
192.168.2.100 is my primary IP on fe-0/0/0.0 interface. For this to work I needed an extra IP
192.168.2.101 to which I create the VPN connection.

And I allowed GRE protocol (protocol number 47) and PPTP (junos-pptp TCP 1723)
in security policy.

ANY-ANY rule is just to make things easier for the test. It can be more specific.

Once this config is committed, I initiated connection from XP (192.168.2.4)
by using built-in XP connection software towards 192.168.2.101 (NAT IP of SRX)
and I could successfully logged in to RAS and received an IP.

Following is the session table for this destination once the connection is
established.

I have just tested this PPTP connection in SRX. I really don’t want to
mess with this RRAS server as it flipped me out:)

WARNING:\\

After writing this post, I noticed that this config causes a huge security issue as
we allow all GRE protocol in which any malicious packet can be carried. To prevent this
we have to use PPTP ALG as far as I can see.

For this to work, create security policy only to allow PPTP;

You can be more specific here in destination-address indeed.

Then create a destination nat (you don’t have to do static nat in this setup)

An after a successful connection, you will see the following sessions.
ALG intercepts TCP 1723 connection and open pinholes for the required GRE
tunnels in both direction. That is why you will see packet counters incrementing
only in one direction.

7 thoughts on “PPTP NAT behind SRX

  1. Genrikh

    Hi.
    >or this to work I needed an extra IP 192.168.2.101 to which I create the VPN connection.

    Why do I need extra IP address? Why can I not use same ip-address for NAT that already has ge-0/0/0? It’s clear for me.

    Reply
      1. siteadmin

        Hi,
        If you use the destination nat instead of static nat which I mentioned at the end, you don’t have to use another IP. Because my box had already one IP with bunch of nat rules, probably I wanted to use another IP to make it clear.

        Reply
  2. Genrikh

    Some points are not clear for me 🙂
    I created DST NAT like this

    nat {
    destination {
    pool MS-RAS-SRV {
    address 10.1.0.10/32 port 1723;
    }
    rule-set ALLOW-PPTP {
    from zone untrust;
    rule PERMIT {
    match {
    source-address 0.0.0.0/0;
    destination-address X.Y.Z.226/32;
    destination-port 1723;
    }
    then {
    destination-nat pool MS-RAS-SRV;
    }
    }
    }
    }
    }

    But when I try to check a session flow I can not see anything:

    admin@r1# run show security flow session destination-port 1723
    Total sessions: 0

    [edit]
    admin@r1#

    Where is my issue?

    Reply
  3. Milan

    Hi Admin,
    you are right about that warning, I tested it myself with high-end SRX. Just by opening 1723, GRE is established with ALG.

    Thanks fo ryour post.

    Regards, Milan

    Reply

You have a feedback?