Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Allow PPTP traffic inbound through a Juniper Firewall in NAT mode with only 1 publicly available IP address



Article ID: KB5471 KB Last Updated: 11 Aug 2011Version: 11.0
Allow PPTP traffic inbound through a Juniper Firewall in NAT mode with only 1 publicly available IP address. This method can be applied to the general issue of port forwarding by substituting the protocols (e.g. PPTP to HTTP)
  • VIP same as untrust
  • Only have 1 publicly available IP address
  • VIP defined with PPTP service
Symptoms & Errors:
  • Cannot define VIP same as untrust if using PPTP as service
Note: This article applies to ScreenOS 5.0 and higher.

To address this problem, enable the VIP multi-port command, which will allow configuration of a VIP service which has more than 1 port it listens to.  Without this command, a VIP service can only listen to one port.  Note that setting VIP multi-port will require a reboot.

From the command line interface (CLI):

set vip multi-port [Enter]
save [Enter]
reset [Enter]

The multi-port command will match the first port it sees in the custom service.

Next, define a custom service for PPTP and apply this service in the VIP.  From the CLI:

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048 [Enter]
set service CustomPPTP + tcp src 0-65535 dst 1723-1723 [Enter]
set interface ethernet0/0 vip 2048 CustomPPTP [Enter]

Finally, create an incoming policy with destination address as the VIP using the custom service object.  From the CLI:

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit [Enter]
save [Enter]

In this example, the PPTP server was assumed to be on the trust side of the Firewall, at IP address Note that for Microsoft Windows, the custom PPTP service must contain both TCP port 1723 and IP protocol 47 with port 2048. The source port for TCP 1723 must be 0-65535 to allow for any source port.

To allow multiple outgoing PPTP client connections through a firewall using a DIP pool, follow article: KB5303 - Multiple PPTP clients cannot connect outgoing when using DIP with port-translation.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search