I want to set up a PPTP-based VPN for my company's roaming and small office/home office (SOHO) users. The audit and security department agreed that the PPTP tunnels should terminate on a Windows NT 4.0 RAS server on the company's internal network and that the PPTP traffic should bypass the corporate firewall's security policy. How do I configure my firewall to allow PPTP traffic?

The sidebar "Introduction to PPTP," page 12, provides a short explanation of PPTP and its uses. To let PPTP work across a firewall, you must configure the firewall to allow PPTP control-channel and data-channel packets. The PPTP control channel is the initial channel that you set up between a PPTP client and a PPTP server. The PPTP client and server use this control channel to negotiate tunnel parameters, such as the encryption method and the compression algorithm. The PPTP control channel also establishes, manages, and releases the PPTP data channel. You can think of the data channel as the real PPTP tunnel. The system uses TCP (i.e., port 1723) to send the PPTP control channel packets. On the data channel, PPTP uses a protocol called Generic Routing Encapsulation (GRE—IP protocol number 47) to securely encapsulate the Point-to-Point Protocol (PPP) packets in an IP packet.

Here's an example of how you would configure a Cisco Systems Secure PIX Firewall to allow PPTP traffic. On the PIX Firewall, carry out the following Conduit commands from the Cisco PIX command-line interface:

                              conduit permit tcp host                                PPTPServerIPAddress                                eq 1723                                ExternalNetworkIPAddress                                ExternalNetworkIPSubnetMask                                                              conduit permit gre host                                PPTPServerIPAddress                                ExternalNetworkIPAddress                                ExternalNetworkIPSubnetMask

where PPTPServerIPAddress designates the internal PPTP server's global (i.e., visible from the outside) IP address and ExternalNetworkIPAddress and ExternalNetworkIPSubnetMask designate the IP address range of the clients initiating the PPTP connection. Eq 1723 permits TCP traffic on port 1723. A PIX Firewall blocks all traffic unless you use a Conduit command to permit the traffic. The preceding Conduit commands let the PPTP control packet (first command) and data-channel packet (second command) pass through the PIX Firewall.

For example, to let a roaming user set up a PPTP tunnel from a laptop that has an IP address in the range to to the internal PPTP server that has a global IP address of, you would carry out these Conduit commands on the PIX firewall:

                              conduit permit tcp host                       eq 1723                                                                                    conduit permit gre host