When it comes to configuring your SSG-5 Juniper firewall to pass-through PPTP traffic, it can be a pain in the **s. As I discovered myself after two days struggling…
So, I case you end up in the same situation, here’s my solution; How to configure the Juniper SSG-5 to pass-through PPTP trafic? Forgive me that this explanation uses the WebGUI, but it’s actually very easy.
Before starting you have to have to set VIP multi-port on. This can only be done trough the command-line interface. Article KB5471 from Juniper knowledge-base is describing this set-up:
set vip multi-port [Enter]
save [Enter]
reset [Enter]
First of all you have to punt your existing network interfaces in ROUTE mode, instead of NAT. If you already have policies defined, don’t panic! I will come shortly to how to fix NAT transition.
So, go to: Network > Interfaces > List and edit both trusted and untrusted interfaces, set interface mode on ROUTE.
At the untrusted interface (that’s where the internet is connected to, and you will be pointing your PPTP client to) click also on de Properties VIP.
Add a VIP entry with the [Same as the interface IP adres].
Go to Policy > Policy Elements > Services > Custom. Click the new button.
Give the service name: CustomPPTP
Add the protocol information accordingly and press OK.
Do understand; the PPTP protocol self uses TCP and port 1723. Protocol 47 (GRE) is using port 2048.
Go back to the interface configuration of your untrusted VIP settings and add a New VIP service. Select your CustomPPTP service and map it to the IP of your PPTP server:
Go to Policy > Policies and add a new policy from the UNTRUSTED zone to the TRUSTED zone:
Go to the Advanced tap (you should do this for ALL your existing policies when you’ve changed the interface settings from NAT to ROUTE!) and turn NAT Source Translation ON and press OK:
That’s all you have to do. Try connect your client to the server, all should work now.
Please note: The above IP-addresses are for example.
If you think this article was helpful or you’ve still got some questions, then please feel free to drop a comment!
Great article!
You really helped me forward on this as I forgot how I fixed it several years ago 🙂
Awesome article, helped out alot!
Some of the pics are broken… Can you fix it, please?
Thank you for commenting! I’ve fixed it. 🙂
I love you – I’ve been trying to figure this out for ages!
OMG YES! Thanks
Hi!
I configured SSG 140 as per your steps but still unable to connect to server.pls help
Hi Sajid,
Thank you for commenting. Can you please explain what you are trying to do? Are you configuring your SSG-140 for pass-trough PPTP traffic to an internal PPTP server?
Thank you very much!!
This helped me setup PPTP/GRE on our office SSG5
Hi Esmé,
I followed your guide but on our SSG 140 it only worked when I changed the order of ports for the CustomPPTP Service, I had to list TCP Port 1723 first and after that protocol 47 port 2048. Just in case one has the same problem.
Thanks a lot anyways, your guide helped me a lot!
THANK YOU!!! I am very new to Juniper products and I had to get PPTP working.
Thanks for your excellent instruction, but I am still having troubles. I have followed your instruction but when I change my trust interface to Route it completely kills my internet. also, the VPN doesn’t connect. under my VIP address in the untrust it is always shown as down. is there something else I need to change, when I change to route mode to allow normal traffic? thanks.