Nortel VPN access through my PIX 501

gwnoyes · ‎09-11-2002

I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow connections to my web server. I have only 1 client on the inside that needs to be able to VPN to a Contivity box with the Nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding entries to my access-list or is it more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIX's. One more thing, my PIX has a DHCP address on the external interface.

Thanks

Gary

gfullage · ‎09-15-2002

If you're doing PAT on this 501 then you should be able to at least build a tunnel, but then you probably won't be able to pass traffic. PAT and IPSec don't work well together. If you have a spare external IP address (doubtful since you're doing DHCP), then you could set up a static for your internal VPN client machine and then it should work fine. Alternatively, if the Nortel supports some sort of IPSec encapsulation into a TCP or UDP packet, then if you enable that it all should work even with a PAT config on the 501.

What errors do you see on the 501 if you enable syslogging? That may give us a better indication of what's going on.