I have the following scenario:
LAN -> FIREWALL ENTERPRISE -> WAN
and many users in the LAN need to connect to a Microsft Windows server 2003 VPN in the WAN. I searched the McAfee KB and found an article saying that I need rules to allow PPTP (TCP port 1723) and GRE to pass through the firewall. However, using this approach I need as many valid IP´s as the number os users connecting to the vpn simultaneously, and I don´t have too many valid IP´s available in my company.
Can´t I use NAT-T to overcome this situation?
I didn´t have this kind of limitation with my simple iptables firewall... why an advanced equipment such McAfee Firewall Enterprise would have?
If anyone knows how to solve this problem, please, help me!!
NAT-T is for IPSec VPNs only, unfortunately.
If you are NATing these sessions through the firewall there is no way to overcome this. GRE is portless; the firewall can't build separate sessions if more than one internal IP connects to the same external IP (the session on the outside would look like this: fw-ext-iproto-47 -> server-ip:-proto-47). Since you are NATing, every session would look like this, so there is no way to distinguish between the sessions.
You're right, other devices can distinguish between the sessions even if you NAT. You say iptables can; a Snapgear can also do this. I don't know exactly how they do it, but I'm guessing they might keep a table of the key in the GRE header (the key should be unique between sessions). Since a firewall doesn't manipulate this key, if it has the ability to keep a table of the keys it could distinguish the sessions.
I would say the reason the firewall doesn't do this is that it doesn't do "everything." This is simply something it doesn't do; it wasn't written into the code.
You can request any features/modifications to the firewall you'd like at this URL:
Choose 'McAfee Firewall Enterprise' in the drop-down box. Be sure to specify your version in the description field also.