Thursday, June 23, 2005

PPTP through PIX Firewall Appliance

PPTP is described in RFC 2637 . This protocol uses a TCP connection that uses port 1723 and an extension of generic routing encapsulation (GRE) [protocol 47] to carry the actual data (PPP frame). The TCP connection is initiated by the client, followed by the GRE connection that is initiated by the server; therefore, to allow PPTP connections through the PIX, you have to configure a one-to-one static translation for the inside host. This document uses the PIX access control list (ACL) syntax that was introduced in PIX version 5.0.1; conduits may also be used, but not in conjunction with ACLs.

Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.
The PPTP fixup feature in version 6.3 allows the PPTP traffic to traverse the PIX when configured for PAT, performing stateful PPTP packet inspection in the process. The fixup protocol pptp command inspects PPTP packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Specifically, the firewall inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing call request and reply sequence is tracked. Connections and/or xlates are dynamically allocated as necessary to permit subsequent secondary GRE data traffic. The PPTP fixup feature must be enabled for PPTP traffic to be translated by PAT.

Ceci revient à dire que dans les versions antérieures à la version 6.3, le support du transit du flux PPTP au travers du PIX est possible mais son application ne peut se faire que dans un cadre bien particulier, à savoir :

Si nous avons un utilisateur du réseau d'entreprise et que ce dernier cherche à joindre un serveur PPTP externe à l'entreprise en transitant au travers du PIX (en version antérieure à la version 6.3) qui met en oeuvre une translation d'adresse N pour 1 ( PAT ou NPAT ) cela ne pourra pas fonctionner.

La seule façon de traiter le problème est de mettre en place une translation d'adresse 1 pour 1 (NAT) entre l'adresse interne et une adresse externe et de finier les ACL nécessaires.

posted by Hervé SCHLECHT @ 11:38 AM