From: Russ <Russ .
Cooper .
RC .
on .
ca @
GreatCircle .
COM>
Date: Fri, 1 Nov 1996 01:12:13 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0)
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
Don Jarmon asked...
>I was planning to add a Dual NIC NTS4.0 server to a DMZ. One
>NIC configured to support PPTP and the other NIC connected
>to the Intranet. I was wondering 'bout what type of access is
>needed on the boundry router to support Remote PPTP enabled
>Internet Clients.
According to the internet draft the PNS, (PPTP Network Server)
receives an incoming TCP call on port 5678. If that is true then the
DMZ external router would need to allow an incoming TCP call on port
5678 of the pptp server.
In a cisco, that would look something like this:
! pptp incoming to PNS
access-list 100 permit tcp 0.0.0.0 255.255.255.255 XXX.XXX.XXX.XXX 0.0.0.0 eq 5678
(where XXX.XXX.XXX.XXX is the PNS server IP address)
This access list could be refered to in the external interface setup
with a "ip access-group 100 in". You might need to have additional
filter entries if you filter outbound packets from your DMZ router's
internal interface.
I haven't tried this but it seems reasonable,
--Bruce
--
Robert B. Carleton + rbc @
lava .
net + http://www.lava.net/~rbc
|
|
