12-22 Administration Guide
A strict firewall may not be provisioned to allow VPN traffic to pass back and forth as needed. In order to ensure
that a firewall will allow a VPN, certain attributes must be added to the firewall's provisioning. The provisions
necessary vary slightly between ATMP and PPTP, but both protocols operate on the same basic premise: there
are control and negotiation operations, and there is the tunnelled traffic that carries the payload of data
between the VPN endpoints. The difference is that ATMP uses UDP to handle control and negotiation, while
PPTP uses TCP. Then both ATMP and PPTP use GRE to carry the payload.
For PPTP negotiation to work, TCP packets inbound and outbound destined for port 1723 must be allowed.
Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for port 5150 must be
allowed. Source ports are dynamic, so, if possible, make this flexible, too. Additionally, PPTP and ATMP both
require a firewall to allow GRE bi-directionally.
The following sections illustrate a sample filtering setup to allow either PPTP or ATMP traffic to cross a firewall:
■ PPTP example on page 12-23
■ ATMP example on page 12-26
Make your own appropriate substitutions. For more information on filters and firewalls, see Chapter 13,
“Security.”.