Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to: Allow PPTP traffic inbound through a JUNOS-ES device with only 1 publicly available IP address.

0

0

Article ID: KB10458 KB Last Updated: 05 Mar 2017Version: 4.0
Summary:
How to: Allow PPTP traffic inbound through a JUNOS Enhanced Services (JUNOS-ES) device with only 1 publicly available IP address.
Symptoms:
Problem Scenario:
  • JUNOS-ES device has one public IP address given by ISP.
      For this example, ge-0/0/0.0 is configured with IP 1.1.1.10/24 in zone "untrust".
  • JUNOS-ES device has private subnet on zone "trust".
      For this example, ge-0/0/3.0 is configured with IP 10.10.10.1/24 in zone "trust".
  • PPTP server is on zone "trust" with private IP address 10.10.10.155/24.
  • PPTP clients need to reach the PPTP server from the Internet.
Solution:
Note: This article applies to JUNOS-ES version 8.5 or higher.


For this scenario you configure destination NAT. This is the equivalent to a Virtual IP (VIP) in NetScreen/SSG terminology. Static NAT is not possible in this scenario since static NAT would require another publicly available IP address in order to statically map to the PPTP server internal IP address.

The PPTP clients can be from any source address and would need to establish VPN session to 1.1.1.10 to reach the internal PPTP server. When such a packet reaches the JUNOS-ES flow module, the route lookup would show that the traffic is ingressing on ge-0/0/0.0 and egressing also on ge-0/0/0.0 since 1.1.1.10 is associated with that interface. This means the zone lookup would be from "untrust" to "untrust". Thus the destination NAT policy would need to be intrazone or "from-zone untrust to-zone untrust". Despite this being the case, once the destination address translation takes place, the final packet would correctly egress out ge-0/0/3.0 and not ge-0/0/0.0.


Configuration Example for PPTP pass-through with destination NAT:
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.10/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.1;
    }
}
security {
    nat {
        destination-nat pptp-incoming address 10.10.10.155 port 1723;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/3.0;
            }
        }
        security-zone untrust {
            address-book {
                 address pptp-server-outside 1.1.1.1/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
    policies {
        from-zone untrust to-zone untrust {
            policy pptp-nat {
                match {
                    source-address any;
                    destination-address pptp-server-outside;
                    application junos-pptp;
                }
                then {
                    permit {
                        destination-nat {
                            pptp-incoming;
                        }
                    }
                }
            }
        }
    }
}


Note that application junos-pptp is a pre-defined JUNOS-ES application. It includes TCP port 1723 as well as the PPTP ALG to dynamically permit the GRE traffic.

Displaying as set commands:
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.10/24
set interfaces ge-0/0/3 unit 0 family inet address 10.10.10.1/24
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set security nat destination-nat pptp-incoming address 10.10.10.155
set security nat destination-nat pptp-incoming address port 1723

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone untrust address-book address pptp-server-outside 1.1.1.10/32
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0

set security policies from-zone untrust to-zone untrust policy pptp-nat match source-address any
set security policies from-zone untrust to-zone untrust policy pptp-nat match destination-address pptp-server-outside
set security policies from-zone untrust to-zone untrust policy pptp-nat match application junos-pptp
set security policies from-zone untrust to-zone untrust policy pptp-nat then permit destination-nat pptp-incoming
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search