cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
0
Helpful
5
Replies

Nortel VPN client through PIX515E

rsab
Level 1
Level 1

I am attempting to get the Nortel IPSec VPN client to establish a tunnel through a PIX515E to an outside address. I have allowed UDP port 500 through, and the ISAKMP portion of the tunnel setup seems to work. But then the connection drops.

I read that protocol 50(esp) and 51(ah) have to be allowed as well, but I don't know how to do this. Maybe there are other ports/protocols required as well. Does anyone have any experience with this?

Thanks for any help.

Darren

5 Replies 5

scoclayton
Level 7
Level 7

Just posted the following on another similar question...see if this helps.

***Assumption: I am assuming this is an IPSec client connection and not PPTP. If PPTP, please disregard.***

The issue is probably a few things. First, you need to either create a 1:1 static entry on your PIX for this internal client or upgrade to 6.3(4) and enable "fixup protocol esp-ike". See the following for more info on this:

(PAT for ESP section)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#wp67757

You also need to explicitly permit esp inbound from the Nortel concentrator in the access-list you have applied to the PIX outside interface. Something like this should work:

access-list inbound permit esp host X.X.X.X any

(where X.X.X.X is the IP address of the Nortel device).

Let us know if this is not clear.

Scott

Thanks for your reply Scott. From the link you provided, it appears that even if I am successful in configuring the PIX to pass the Nortel IPSec client connection out to the Internet, only a single outbound IPSec tunnel is supported. Is this correct?

Thanks.

Assuming you are trying to pass the ESP traffic via a PAT address, then yes, you are correct. Only one tunnel at a time will work. You can configure 1:1 static translations for the internal hosts to make this work.

Scott

tkpsimon
Level 1
Level 1

Darren,

I have a similar situation which i was using a Cisco VPN client to create a tunnel through a PIX515E. I'm not sure about the Nortel VPN client, but for Cisco's VPN client you could pick either TCP/UDP to setup a tunnel, I could use both protocol to establish a tunnel, but the pix will drop my tunnel if i'm using UDP, because the UDP timer. TCP's one work perfectly. Maybe Nortel have some setting for you to choose TCP instead of UDP. Hope this help.

bhose
Level 1
Level 1

Hi,

We use the Nortel Contivity client through a router running the IOS firewall feature set. We are using the NAT traversal feature on the Nortel client. The router is configured to allow out ports UDP 500 and UDP 10001. I believe both the client and VPN concentrator need to be configured for NAT traversal.

As long as you are using recent PIX code I would assume a PIX configured the same would work.

Hope this helps