Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] How Do I Enable PPTP Traffic to Exit Through the Juniper firewall using ScreenOS 6.0 and lower?

0

0

Article ID: KB4481 KB Last Updated: 20 Dec 2017Version: 13.0
Summary:
How Do I Enable PPTP Traffic to Exit Through the Juniper firewall using ScreenOS 6.0 and lower? (outbound PPTP passthrough)
Solution:
Note: In ScreenOS 5.0.0r8, there was a change in behavior in the way PPTP traffic passes through the firewall. For ESP, AH, and GRE traffic (which includes PPTP), policy-based NAT policies require fixed-port DIP translations. Policy-based NAT without using a DIP is not supported. PPTP is also possible using MIP addresses.  This behavior change is applicable to ScreenOS 6.0 and lower.

The following are situations where PPTP is supported:
  • Interface-based NAT
  • Fixed-port DIP

For ScreenOS 6.1 and higher: 
Go to KB12309 - How Do I Enable PPTP Traffic to Exit Through the Juniper firewall using ScreenOS 6.1.
 

For ScreenOS 6.0 and lower:
Please take note of additional setup needed on Step 14, if running ScreenOS 5.4 or 6.0.

To enable PPTP traffic to exit through the Juniper firewall on ScreenOS 6.0 and lower, perform the following steps:

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

From the ScreenOS options menu, click Network, and then click Interfaces.

Image of step two

 

 

Locate the Untrust Interface for the NetScreen device, and click Edit.

Image of step three

 

 

From the Interfaces Edit screen, click DIP.

Image of step four

 

 

Click New.

Image of step five

 

 

Click to select IP Address Range, and then from the IP Address Range text boxes, enter a range of IP addresses.

Image of step six and seven

Click to deselect Port Translation.

Click OK.

Image of step eight

 

 

Click Policies.

Image of step nine

 

 

In the From drop-down menu, click to select Trust, and in the To drop-down menu, click to select Untrust.

Image of step ten and eleven

Click New.

From Source Address, click to select Address Book Entry, and then from the Address Book Entry drop-down menu, click to select a source address.

Image of step twelve

 

 

From Destination Address, click to select Address Book Entry, and then from the Address Book Entry drop-down menu, click to select a destination address.

Image of step thirteen and fourteen

From the Service drop-down menu, click to select PPTP.

Note:  If using ScreenOS 5.4 or 6.0, select the Multiple Tab next to Service.  
On the next screen select GRE and PPTP from the Service Entries and click the << button to add these services to the Selected Members and click OK. (In 5.4 you will also have to add the custom services you create -see kb.juniper.net/KB9662)

Click Advanced.

Image of step fifteen

 

 

From the Advanced Policy Settings screen, within the Nat section, click to select Source Address, and then from the (DIP on) drop-down menu, click to select your fixed-port DIP IP range.

Image of step sixteen

 

 

Click OK.

Image of step seventeen

 

 

Click OK.

Image of step eighteen

Modification History:
‚Äč2017-12-07: Article reviewed for accuracy and archived. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search