Figure 6.7. PPTP ALG Usage
The PPTP ALG solves this problem. By using the ALG, the traffic from all the clients can be
multiplexed through a single PPTP tunnel between the firewall and the server.
PPTP ALG Setup
Setting up the PPTP ALG is similar to the setup of other ALG types. The ALG object must be
associated with the relevant service and the service is then associated with an IP rule. The full
sequence of steps for setup is as follows:
• Define a new PPTP ALG object with an appropriate name, for example pptp_alg. The full list of
options for the ALG are listed towards the end of this section.
• Associate the new ALG object with an appropriate Service object. The predefined service
called pptp-ctl can be used for this purpose.
Alternatively, a new custom service object can be defined, for example called pptp_service.
The service must have the following characteristics:
i. Select the Type (the protocol) as TCP.
ii. The Source port range can be the default of 0-65535.
iii. Set the Destination port to be 1723.
iv. Select the ALG to be the PPTP ALG object that was defined in the first step. In this case, it
was called pptp_alg.
• Associate this service object with the NAT IP rule that permits the traffic to flow from clients
to the remote endpoint of the PPTP tunnel. This may be the rule that NATs the traffic out to
the Internet with a destination network of all-nets.
The single IP rule below shows how the custom service object called pptp_service is
associated with a typical NAT rule. The clients, which are the local endpoint of the PPTP
tunnels, are located behind the firewall on the network lannet which is connected to the lan
interface. The Internet is found on the wan interface which is the destination interface, with
all-nets as the destination network.
Action Src Interface Src Network Dest Interface Dest Network Service
NAT lan lannet wan all-nets pptp_service
Chapter 6: Security Mechanisms
462
To Next Page
Loading...
