RV: VPN (PPTP) problem with Gauntlet 5.5

[Laura Nuñez <potus () velocom com ar>]

I did not wanted to add more mails to our poor and tired :-) list moderator
when the list was closed, but this is my first mail after "reopening" so i
will have to let my feelings show...
THANKS MARCUS! THANKS MARCUS! THANKS MARCUS! THANKS MARCUS!.... (and
goes...)
now, the problem...

> Hi Wizards,
>       We are installing a Gauntlet 5.5 for WinNT. The configuration (is
> not the optimal/usual, i know) is as follows:
>
> 1 Internal Interface (Private addresses i.i.i.229, mask 255.255.0.0)
> 2 External Interfaces
>       1. ISP A (A.A.A.2 address). This is the interface from which we use
> the Default Gateway.
>       2. ISP B (B.B.B.82 address)
>
>       The services we use thru the FW are:
>
> 1. VPN (Microsoft PPTP) in a box located in the internal network
> (i.i.i.118)
> 2. HTTP (MS Proxy in the internal network i.i.i.3)
> 3. SSL (Outlook Web Access, in the i.i.i.3, the public address is in the
> ISP B - B.B.B.82)
> 4. SMTP (Mail hub in the Internal network, same than OWA server)
>
>       All is working ok, except for the PPTP connection. If we test it
> from the inside we can connect. When we try to use the public address
> (from an external ISP) we get an error (time out). I created the NAT and
> the Packet Screening rules as follows
> Packet Screening:
>       1. TCP Control (TCP) ISP B Interface/Absorb Traffic/Source
> *-*-*-*/Destination i.i.i.118-255.255.255.255-1723-1723
>       2. TCP Control (TCP) ISP A Interface/Absorb Traffic/Source
> *-*-*-*/Destination i.i.i.118-255.255.255.255-1723-1723
>       3. IP Conn Outbound Internal Interface/FW without reply/Source
> i.i.i.118-255.255.255.255-1723-1723/Destination *.*.*.*
>       4. IP Conn Inbound ISP B Interface/FW without reply/Source *.*.*.*/
> Destination i.i.i.118-255.255.255.255-1723-1723
>       5. IP Conn Inbound ISP A Interface/FW without reply/Source *.*.*.*/
> Destination i.i.i.118-255.255.255.255-1723-1723
>
>       The NAT rule is:
>       Local address i.i.i.118/255.255.255.255
>       Global Address B.B.B.83
>       Interfaces to see Global Address: ISP B Interface
>
>       What can be the problem? I can see the NAT entry when the client
> connects, but then the client receives a time out.
        This is an extract of the PPTP-related errors in the gauntlet log:

> <13> 2000-08-23 16:43:03 pptp: src=x.x.x.11 (client from Inet)
> dest=i.i.i.118 id=150 permitted by policy: policy-untrusted.pptp
> <13> 2000-08-23 16:43:07 pptp: src=x.x.x.11 dest=i.i.i.118 id=150
> disconnected in=352 out=356
>       
> Thanks in advance, Laura
>
> ---------------------------------------
> Laura Nuñez
> mailto:potus () velocom com ar
> Argentina
> ---------------------------------------

<<attachment: winmail.dat>>