PIX 515

p.holley · ‎12-02-2004

Hi,

I have a customer that wants to use a Nortel VPN client sitting behind a cisco PIX, to VPN into the inside network. This is the scenario

Nortel vpnclient --->Cisco pix515-->Internt--->Nortel Firewall---->Inside Network.

What ports do I need to open for the PIX to allow the Nortel vpn client to establish vpn connection to the nortel firewall?

Thanks

Patrick Iseli · ‎12-02-2004

sysopt connection permit-ipsec

or

ISAKMP UDP 500

Protocol ESP, AH

Do you use PAT or NAT for inside users ?

"PAT for ESP". The 6.3.4 code has a new command - 'fixup protocol esp-ike' which will allow 1 (and only 1) IPSec connection through a PIX configured with PAT.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

sincerely

Patrick

p.holley · ‎12-02-2004

Thanks Patrick,

We are using PAT for inside users. So all I have to do is enter the following commands on the PIX FW:

sysopt connection permit-ipsec

fixup protocol esp-ike

Patrick Iseli · ‎12-02-2004

YES

frrosale · ‎12-03-2004

One thing to bear in mind is that if you use the FIXUP-PROTOCOL ESP/IKE command, the PIX will loose its IPSEC capabilities.

What the fixup does is to relay the PIX's IPSEC capábilities to the first user that tries to build an IPSEC session through the firewall.

If your firewall already receives IPSEC connections I wouldn't suggest you to use the fixup protocol.

p.holley · ‎12-03-2004

The PIX fw already receives IPSEC connection from Cisco vpn clients. Any idea how I get this to work. Thanks