Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2001

Permitting VPN Traffic Across a Firewall


From the June 2001 Edition
of Windows IT Pro
Sean Daily
Tricks & Traps
InstantDoc #20274
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Point-to-Point Tunneling Protocol (PPTP) Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!

I'm trying to implement an RRAS-configured Windows 2000 server to permit incoming client VPN connections over PPTP and Layer 2 Tunneling Protocol (L2TP). The server is behind a firewall. What ports do I need to open on the firewall to permit the necessary types of traffic to access the server?

For PPTP VPN connections, you need to open TCP port 1723 for PPTP tunnel maintenance traffic and permit IP Type 47 Generic Routing Encapsulation (GRE) packets for PPTP tunnel data to pass to your RRAS server's IP address. If the PPTP-based RRAS server is the calling router on router-to-router VPN connections (i.e., VPN-based LAN-to-LAN connections to another RRAS server), you need to create an input filter (i.e., inbound rule) on your firewall to open TCP port 1723 as a source port to your RRAS server. For L2TP VPN connections, you need to open UDP port 500 for Internet Key Exchange (IKE) traffic and UDP port 1701 for L2TP traffic. If you restrict outbound traffic, be sure to open all these ports in that direction so that the VPN server can properly communicate with your remote VPN clients.

If VPN traffic is the only traffic you permit to your RRAS server, the best practice from a security standpoint is to deny all traffic except the types I listed in the previous paragraph. I also suggest that you place your RRAS server in a network demilitarized zone (DMZ) rather than on the internal LAN. Chapter 9 of the Microsoft Windows 2000 Server Resource Kit's "Internetworking Guide" volume provides information about properly configuring firewalls for this situation and other VPN server scenarios.

End of Article

Reader Comments
I keep seeing the comment about permitting IP Protocol 47 (GRE). How is that done.

Mike Bartosh May 15, 2002

*quotes Mike Bartosh* - How to set up a rule for IP Protocol Type 47 on a Router that only allows you to forward single ports?

Oliver Schneider December 30, 2003

Sr, I´d like to find any program in order to download movie across a firewall of my company. P2P protocol is disabled. Where can I read some about it?. Thanks

Einar Montero April 23, 2004

I am trying to establish VPN Traffic through a router, no firewall. I have configured Port 1723 to forward to the server IP address. This is still not allowing me to pass through. How do I configure a rule for IP Type 47 on a Router.

Jeff Levy May 14, 2004

Folks, how can i know what ports are available to use? I have Kazaa but i don't know in which port i have to use

Pablo Guzmán May 18, 2004

I opened all the ports listed as required on the router...including 1723. When I try to connect - I get a "did not respond" error. If I switch the machine to a local DMZ...boom...I get right thru and the VPN works as it should. I don't want to leave the server wide open in the DMZ however.
I can't seem to find the 'missing' port forward.
Can anyone help?
Here are the ports that are forwarded: 47, 1700-1750, 445.

Rob June 18, 2004

Firstly, PPTP (VPN) is ENTIRELY different to PTP (Kazaa, etc) If you don't know the difference do some research and stop downloading rubbish illegally!

Second, You need to allow Protocol 47, not port 47 for this to work! There IS a difference!

Anonymous User December 07, 2004 (Article Rating: )

well what is protocol 47, i am using a linksys router, it gives me the options of TCP and UDP to forward....

Anonymous User January 06, 2005

protocol 47 is not TCP and not UDP! It ist a protocol like TCP and UDP. A lot of routers do not permit to forward this protocol. The cisco 800 series does

Anonymous User January 13, 2005

On a linksys router, you can set it to allow pptp passthrough. Depending on your Linksys router, it would be on the VPN Passthrough page under Security. Then route port 1723 traffic to your RAS server on the port range forwarding page. If you are using a firewall, you enable protocol 47 by using "gre" like so...

access-list acl_in permit gre any any

Hope this helps!

Anonymous User January 14, 2005

 See More Comments  1   2 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

A Great Tool For Making Screencasts

I've started making product demos and have found a tool that has helped make the job easier--Camtasia. ...
Windows OSs Whitepapers Replay for Exchange: Enterprise Protection and an Affordable Price

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Disaster Recovery and Backup

A Guide to Windows Certification and Public Keys
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing