Configuring Security Gateways to allow connection to PPTP server while using Hide-NAT (GRE and Hide-NAT support)

• Attempting to NAT GRE traffic through a Check Point Security Gateway results in the traffic traversing without NAT taking effect.

• PPTP connectivity fails when GRE tunnels are encrypted and being Hide NATed through a Security Gateway.

• PPTP/GRE traffic stops passing after enabling SecureXL Optimized Drops feature per sk90861.

PPTP/GRE enforcement and NAT require inspection of PPTP/GRE packet header data and do not support encrypted GRE tunnels that encrypt the GRE header payload.

GRE protocol (Protocol #47) does not use ports. For this and other reasons, there are technical difficulties attempting to NAT encrypted GRE traffic.

Until NG AI HFA_10, and the existence of the IPS protection "Non Compliant PPTP" (formerly known as SmartDefense protection "PPTP Enforcement"), it was not possible to create multiple sessions with a PPTP server while the clients were hidden using Hide NAT.

Activate the relevant IPS protection to enable PPTP parsing enforcement, which also allows the Security Gateway to support PPTP/GRE traffic over Hide-NAT.

This solution describes how to configure R70 (and above) Security Gateway to allow PPTP/GRE clients behind NAT to connect to remote PPTP server. This solution depends on IPS to inspect and better understand the PPTP / GRE traffic to allow NAT to function correctly. This, therefore, requires appropriate IPS licenses.

Important: Starting from R80 PPTP_TCP has been removed as a deprecated protocol per sk103766. If this protocol is required, please contact your Sales Engineer or submit a Request for Enhancement.

Procedure:

Follow these steps in SmartDashboard:

1. Edit the PPTP Client/PPTP Network object:

   1. Open the PPTP Client/PPTP Network object properties.
      
      
   2. Go to 'NAT' tab.
      
      
   3. Check the box Add Automatic Address Translation rules.

   4. Select NAT Translation Method:

      1. In the 'Translation Method' field, select Hide.
         
         
      2. Select either the Hide behind Gateway, or Hide behind IP Address.
         
         
   5. Click on 'OK' to close the object properties window.

   Example:

   
   
   

2. Create a Security Rule to allow connections to the PPTP Server - use the 'PPTP' service:

   
   
   

3. Edit the Security Gateway object:

   1. Open the Security Gateway properties.
      
      
   2. Go to General Properties pane.
      
      
   3. Enable the IPS blade (check the box 'IPS').
      
      
   4. Click on 'OK' to close the object properties window.

   Example:

   
   
   

4. Configure the IPS protection "Non Compliant PPTP":

   1. Go to IPS tab.
      
      
   2. In the left pane, click on Protections.
      
      
   3. In the Look for field, type PPTP and press Enter.
      
      
   4. Right-click on the IPS protection "Non Compliant PPTP" - click on Details....
      
      
   5. On the General tab, select the relevant IPS profile - click on Edit....

   6. In the Main Action section:

      1. Select Override IPS Policy with
         
         
      2. Select Detect
   7. Click on 'OK' to close the protection settings window.
      
      
   8. Click on 'OK' to close the protection details window.
      
      

   Example:

   
   
   
5. Save the changes: go to 'File' menu - click on 'Save'.
   
   
6. Install the Security policy onto Security Gateway.
   
   
7. Verify the PPTP connection.

For R80.10 or above:

Configure the IPS Protection "Non Compliant PPTP":

1. In left Pane of Smart Console, go to "MANAGE & SETTINGS"

2. Go to Blades > General > Inspection Settings...

3. In the Look for field, type PPTP and press Enter

4. Right click Non Compliant PPTP and Edit

5. In the required profile(default/recommended which is applied on gateway)

6. Select Override with Action:

7. In Drop down menu > select "Accept" > press "ok"

8. Install policy.

Limitation:

To allow the PPTP traffic to pass, Security Gateway must have the IPS Software Blade enabled in its 'General Properties' pane. IPS Software blade requires a separate license to be installed on Security Gateway and on Security Management Server / Domain Management Server.

Check Point 600 appliances and Locally Managed 1100/1200R appliances

1. Starting from R75.20.66, to enable PPTP parsing enforcement that also allows the Security Gateway to support PPTP/GRE traffic over Hide-NAT, go to the "Users & Objects" tab under "Network Resources" -> "Services".
   
   
2. Edit the PPTP_TCP built-in Service object and make sure that the "Disable inspection for this service" checkbox is NOT selected.