PPTP ALG
The Point-to-Point Tunneling Protocol (PPTP) ALG is a TCP-based ALG. PPTP allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network. PPTP defines a client-server architecture, a PPTP Network Server, and a PPTP Access Concentrator. The PPTP ALG requires a control connection and a data tunnel. The control connection uses TCP to establish and disconnect PPP sessions, and runs on port 1723. The data tunnel carries PPP traffic in generic routing encapsulated (GRE) packets that are carried over IP.
Understanding the PPTP ALG
The Point-to-Point Tunneling Protocol (PPTP) ALG is used for tunneling Point-to-Point Protocol (PPP) packets over an IP network. The PPTP ALG is often used to implement a client/server architecture, a PPTP network server, and a PPTP access concentrator.
The PPTP ALG processes PPTP packets, performs Network Address Translation (NAT), open pinholes for new data connections between a client and a server, and transfers data between a client and a server located on opposite sides of a Juniper Networks device.
Understanding IPv6 Support for the PPTP ALG
The PPTP ALG uses TCP port 1723 to connect and disconnect a client and a server. The PPTP ALG supports IPv6 data packets.
The PPTP ALG with IPv6 support, parses both IPv4 and IPv6 PPTP packets, performs NAT, and then opens a pinhole for the data tunnel.
The PPTP ALG with IPv6 support does not support NAT-PT and NAT64, because PPP packets are compressed with Microsoft Point-to-Point Encryption (MPPE) protocol after the tunnel is set up; therefore translation of the IP header in the PPP package cannot be handled.
The PPTP ALG with IPv6 support has the following limitation:
Because PPP packets are compressed with Microsoft Point-to-Point Encryption (MPPE) protocol after the tunnel is set up, translation of the IP header in the PPP package cannot be handled; therefore, to make sure PPTP connection works well, the PPTP client must be able to work in dual stack mode. So that an IPv6 PPTP client can accept an IPv4 address for PPP tunnel interface, by which it can communicate with the IPv4 PPTP server without IP address translation for PPP packets.
The flow module supports IPv6 to parse the GRE packet and use the GRE call ID as fake port information to search the session table and gate table.
The PPTP ALG can support NAT64 in a specific scenario in which translation of the IP header in the PPP package is not required—that is, if the PPTP client works in dual-stack mode in the IPv6 network and server in the IPv4 network.
Example: Configuring the PPTP ALG
The PPTP ALG processes PPTP packets, performs NAT, and open pinholes for new data connections between a client and a server.
This example shows how to configure the PPTP ALG in route or NAT mode. The configuration allows PPTP traffic to pass through a device, transferring data between a client and a server located on opposite sides of a Juniper Networks device.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall
Two PCs (client and server)
Before you begin:
Understand the concepts behind ALGs. See ALG Overview.
Understand the basics of PPTP ALG. See Understanding the PPTP ALG.
Overview
In this example, first you configure network interfaces on the device, create security zones and assign interfaces to the zones, and configure a policy to allow PPTP traffic to go through an SRX Series Firewall.
Then you create a static NAT rule set rs1 with a rule r1 to match with the destination address 30.5.2.120/32, and you create a static NAT prefix with address 10.5.1.120/32.
Next you create a source NAT pool src-p1 with a source rule set src-rs1 to translate packets from zone trust to zone untrust. For matching packets, the source address is translated to an IP address in the src-p1 pool.
Then you create a destination NAT pool des-p1 with a destination rule set des-rs1 to translate packets from zone trust to destination address 30.5.1.120/32. For matching packets, the destination address is translated to an IP address in the des-p1 pool. Finally, you configure PPTP ALG trace options.
Configuration
To configure the PPTP ALG, perform these tasks:
- Configuring a Route Mode
- Configuring a Static NAT Rule Set
- Configuring a Source NAT Pool and Rule Set
- Configuring a Destination NAT Pool and Rule Set
- Configuring PPTP ALG trace options
Configuring a Route Mode
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/8 set interfaces fe-0/0/2 unit 0 family inet address 10.10.10.1/8 set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic protocols all set security zones security-zone untrust interfaces fe-0/0/2 host-inbound-traffic system-services all set security zones security-zone untrust interfaces fe-0/0/2 host-inbound-traffic protocols all set security policies from-zone trust to-zone untrust policy pptp match source-address any set security policies from-zone trust to-zone untrust policy pptp match destination-address any set security policies from-zone trust to-zone untrust policy pptp match application junos-pptp set security policies from-zone trust to-zone untrust policy pptp then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure route mode:
Configure interfaces.
[edit interfaces] user@host#set ge-0/0/1 unit 0 family inet address 20.20.20.1/8 user@host#set fe-0/0/2 unit 0 family inet address 10.10.10.1/8
Configure zones and assign interfaces to the zones.
[edit security zones security-zone trust] user@host#set interfaces ge-0/0/1 host-inbound-traffic system-services all user@host#set interfaces ge-0/0/1 host-inbound-traffic protocols all [edit security zones security-zone untrust] user@host#set interfaces fe-0/0/2 host-inbound-traffic system-services all user@host#set interfaces fe-0/0/2 host-inbound-traffic protocols all
Configure a PPTP policy that allows PPTP traffic from the trust zone to the untrust zone.
[edit security policies from-zone trust to-zone untrust] user@host#set policy pptp match source-address any user@host#set policy pptp match destination-address any user@host#set policy pptp match application junos-pptp user@host#set policy pptp then permit
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show security zones, and show security policies commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
For brevity, this show output includes only the configuration
that is relevant to this example. Any other configuration on the system
has been replaced with ellipses (...).
[edit]
user@host# show interfaces
...
ge-0/0/1 {
unit 0 {
family inet {
address 20.20.20.1/8;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 10.10.10.1/8;
}
}
}
...
[edit]
user@host# show security zones
security-zone trust {
....
interfaces {
ge-0/0/1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
...
security-zone untrust {
interfaces {
fe-0/0/2 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
policy pptp {
match {
source-address any;
destination-address any;
application junos-pptp;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Static NAT Rule Set
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat static rule-set rs1 from zone trust set security nat static rule-set rs1 rule r1 match destination-address 30.5.2.120/32 set security nat static rule-set rs1 rule r1 then static-nat prefix 10.5.1.120/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a static NAT rule set:
Create a static NAT rule set.
[edit security nat static rule-set rs1] user@host#set from zone trust
Define the rule to match with the destination address.
[edit security nat static rule-set rs1] user@host# set rule r1 match destination-address 30.5.2.120/32
Define the static NAT prefix for the device.
[edit security nat static rule-set rs1] user@host# set rule r1 then static-nat prefix 10.5.1.120/32
Results
From configuration mode, confirm your configuration
by entering the show security nat command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security nat
static {
rule-set rs1 {
from zone trust;
rule r1 {
match {
destination-address 30.5.2.120/32;
}
then {
static-nat {
prefix {
10.5.1.120/32;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Source NAT Pool and Rule Set
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat source pool src-p1 address 30.5.1.120/32 set security nat source rule-set src-rs1 from zone trust set security nat source rule-set src-rs1 to zone untrust set security nat source rule-set src-rs1 rule src-r1 match source-address 20.5.1.120/32 set security nat source rule-set src-rs1 rule src-r1 match destination-address 10.5.2.120/32 set security nat source rule-set src-rs1 rule src-r1 then source-nat pool src-p1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a source NAT pool and rule set:
Create a source NAT pool.
[edit security nat source] user@host#set pool src-p1 address 30.5.1.120/32
Create a source NAT rule set.
[edit security nat source ] user@host# set rule-set src-rs1 from zone trust user@host# set rule-set src-rs1 to zone untrust
Configure a rule that matches packets and translates the source address to an address in the source pool.
[edit security nat source] user@host# set rule-set src-rs1 rule src-r1 match source-address 20.5.1.120/32
Configure a rule that matches packets and translates the destination address to an address in the source pool.
[edit security nat source] user@host# set rule-set src-rs1 rule src-r1 match destination-address 10.5.2.120/32
Configure a source NAT pool in the rule.
[edit security nat source] user@host# set rule-set src-rs1 rule src-r1 then source-nat pool src-p1
Results
From configuration mode, confirm your configuration
by entering the show security nat command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security nat
source {
pool src-p1 {
address {
30.5.1.120/32;
}
}
rule-set src-rs1 {
from zone trust;
to zone untrust;
rule src-r1 {
match {
source-address 20.5.1.120/32;
destination-address 10.5.2.120/32;
}
then {
source-nat {
pool {
src-p1;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Destination NAT Pool and Rule Set
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security nat destination pool des-p1 address 10.5.1.120/32 set security nat destination rule-set des-rs1 from zone trust set security nat destination rule-set des-rs1 rule des-r1 match source-address 20.5.1.120/32 set security nat destination rule-set des-rs1 rule des-r1 match destination-address 30.5.1.120/32 set security nat destination rule-set des-rs1 rule des-r1 then destination-nat pool des-p1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a destination NAT pool and rule set:
Create a destination NAT pool.
[edit security nat destination] user@host#set pool des-p1 address 10.5.1.120/32
Create a destination NAT rule set.
[edit security nat destination] user@host# set rule-set des-rs1 from zone trust
Configure a rule that matches packets and translates the source address to the address in the pool.
[edit security nat destination] user@host# set rule-set des-rs1 rule des-r1 match source-address 20.5.1.120/32
Configure a rule that matches packets and translates the destination address to the address in the pool.
[edit security nat destination] user@host# set rule-set des-rs1 rule des-r1 match destination-address 30.5.1.120/32
Configure a source NAT pool in the rule.
[edit security nat destination] user@host# set rule-set des-rs1 rule des-r1 then destination-nat pool des-p1
Results
From configuration mode, confirm your configuration
by entering the show security nat command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security nat
destination {
pool des-p1 {
address {
10.5.1.120/32;
}
}
rule-set des-rs1 {
from zone trust;
rule des-r1 {
match {
source-address 20.5.1.120/32;
destination-address 30.5.1.120/32;
}
then {
destination-nat {
pool {
des-p1;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring PPTP ALG trace options
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security alg pptp traceoptions flag all set security alg traceoptions file trace set security alg traceoptions file size 1g set security alg traceoptions level verbose
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure PPTP ALG trace options:
Enable PPTP ALG trace options.
[edit security alg] user@host#set pptp traceoptions flag all
Configure a filename to receive output from the tracing operation.
[edit security alg] user@host#set traceoptions file trace
Specify the maximum trace file size.
[edit security alg] user@host#set traceoptions file size 1g
Specify the level of tracing output.
[edit security alg] user@host#set traceoptions level verbose
Results
From configuration mode, confirm your configuration
by entering the show security alg command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security alg
traceoptions {
file trace size 1g;
level verbose;
}
pptp traceoptions flag all;
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying the PPTP ALG Control Session
- Verifying the PPTP ALG Flow Gate Information
- Verifying PPTP ALG
- Verifying the PPTP Resource Manager Group
- Verifying the PPTP Resource Information
Verifying the PPTP ALG Control Session
Purpose
Verify that the PPTP control session is created and all the PPTP control and data sessions are created.
Action
From operational mode, enter the show security
flow session command.
user@host>show security flow session SSession ID: 57, Policy name: pptp, Timeout: 1787 Resource information : PPTP ALG, 1, 0 In: 20.20.20.32/3905 --> 10.10.10.32/1723;tcp, If: ge-0/0/1.0 Pkts: 6, Bytes: 584 Out: 10.10.10.32/1723 --> 20.20.20.32/3905;tcp, If: fe-0/0/2.0 Pkts: 4, Bytes: 352 Session ID: 58, Policy name: pptp, Timeout: 1799 In: 20.20.20.32/0 --> 10.10.10.32/256;gre, If: ge-0/0/1.0 Out: 10.10.10.32/256 --> 20.20.20.32/65001;gre, If: fe-0/0/2.0 Session ID: 59, Policy name: pptp, Timeout: 1787 In: .10.10.10.32/0 --> 20.20.20.32/260;gre, If: ge-0/0/1.0 Out: 20.20.20.32/260 --> 10.10.10.32/65000;gre, If: fe-0/0/2.0
Meaning
Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name or number of packets in and out.
Policy name—Policy name that permitted the traffic.
In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and the source interface for this session is ge-0/0/1.0).
Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and destination interface for this session is fe-0/0/2.0).
Verifying the PPTP ALG Flow Gate Information
Purpose
Verify that the flow gate is opened for TCP data channel connection.
Action
From operational mode, enter the show security
flow gate command.
user@host>show security flow gate
Hole: 20.0.172.24-20.0.172.24/0-0->21.0.172.38-21.0.172.38/25750-25750
Translated: 2015::172:24/65000->2005::172:108/360
Protocol: gre
Application: PPTP ALG/69
Age: 118 seconds
Flags: 0x0080
Zone: trust
Reference count: 1
Resource: 12-1-1
Hole: 2005::172:108-0-0->2015::172:24-2432-2432
Translated: 21.0.172.38/65001->20.0.172.24/2432
Protocol: gre
Application: PPTP ALG/69
Age: 120 seconds
Flags: 0x8080
Zone: untrust
Reference count: 1
Resource: 12-1-2
Valid gates: 2
Pending gates: 0
Invalidated gates: 0
Gates in other states: 0
Total gates: 2Verifying PPTP ALG
Purpose
Verify that the PPTP ALG is enabled.
Action
From operational mode, enter the show security
alg status command.
user@host>show security alg status ALG Status : PPTP : Enabled RSH : Disabled RTSP : Enabled SCCP : Enabled SIP : Enabled TALK : Enabled TFTP : Enabled IKE-ESP : Disabled
Meaning
The output shows the PPTP ALG status as follows:
Enabled—Shows the PPTP ALG is enabled.
Disabled—Shows the PPTP ALG is disabled.
Verifying the PPTP Resource Manager Group
Purpose
Verify the total number of resource manager groups and active groups that are used by the PPTP ALG.
Action
From operational mode, enter the show security
resource-manager group active command.
user@host>show security resource-manager group active
Group ID 1: Application - PPTP ALG
Total groups 19763, active groups 1Verifying the PPTP Resource Information
Purpose
Verify the total number of resources and active resources that are used by the PPTP ALG.
Action
From operational mode, enter the show security
resource-manager resource active command.
user@host>show security resource-manager resource active
Resource ID 2: Group ID - 1, Application - PPTP ALG
Resource ID 1: Group ID - 1, Application - PPTP ALG
Total Resources 93286, active resources 2