From: Russ <Russ .
Date: Fri, 1 Nov 1996 01:12:13 -0500
X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0)
Sender: firewalls-owner @
Don Jarmon asked...
>I was planning to add a Dual NIC NTS4.0 server to a DMZ. One
>NIC configured to support PPTP and the other NIC connected
>to the Intranet. I was wondering 'bout what type of access is
>needed on the boundry router to support Remote PPTP enabled
According to the internet draft the PNS, (PPTP Network Server)
receives an incoming TCP call on port 5678. If that is true then the
DMZ external router would need to allow an incoming TCP call on port
5678 of the pptp server.
In a cisco, that would look something like this:
! pptp incoming to PNS
access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.XXX 0.0.0.0 eq 5678
(where XXX.XXX.XXX.XXX is the PNS server IP address)
This access list could be refered to in the external interface setup
with a "ip access-group 100 in". You might need to have additional
filter entries if you filter outbound packets from your DMZ router's
I haven't tried this but it seems reasonable,
Robert B. Carleton + rbc @
net + http://www.lava.net/~rbc