07-28-2004 02:42 PM - edited 02-21-2020 01:16 PM
I am attempting to get the Nortel IPSec VPN client to establish a tunnel through a PIX515E to an outside address. I have allowed UDP port 500 through, and the ISAKMP portion of the tunnel setup seems to work. But then the connection drops.
I read that protocol 50(esp) and 51(ah) have to be allowed as well, but I don't know how to do this. Maybe there are other ports/protocols required as well. Does anyone have any experience with this?
Thanks for any help.
Darren
07-28-2004 06:04 PM
Just posted the following on another similar question...see if this helps.
***Assumption: I am assuming this is an IPSec client connection and not PPTP. If PPTP, please disregard.***
The issue is probably a few things. First, you need to either create a 1:1 static entry on your PIX for this internal client or upgrade to 6.3(4) and enable "fixup protocol esp-ike". See the following for more info on this:
(PAT for ESP section)
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#wp67757
You also need to explicitly permit esp inbound from the Nortel concentrator in the access-list you have applied to the PIX outside interface. Something like this should work:
access-list inbound permit esp host X.X.X.X any
(where X.X.X.X is the IP address of the Nortel device).
Let us know if this is not clear.
Scott
07-29-2004 07:15 AM
Thanks for your reply Scott. From the link you provided, it appears that even if I am successful in configuring the PIX to pass the Nortel IPSec client connection out to the Internet, only a single outbound IPSec tunnel is supported. Is this correct?
Thanks.
07-29-2004 07:35 AM
Assuming you are trying to pass the ESP traffic via a PAT address, then yes, you are correct. Only one tunnel at a time will work. You can configure 1:1 static translations for the internal hosts to make this work.
Scott
07-30-2004 11:56 PM
Darren,
I have a similar situation which i was using a Cisco VPN client to create a tunnel through a PIX515E. I'm not sure about the Nortel VPN client, but for Cisco's VPN client you could pick either TCP/UDP to setup a tunnel, I could use both protocol to establish a tunnel, but the pix will drop my tunnel if i'm using UDP, because the UDP timer. TCP's one work perfectly. Maybe Nortel have some setting for you to choose TCP instead of UDP. Hope this help.
08-01-2004 10:48 PM
Hi,
We use the Nortel Contivity client through a router running the IOS firewall feature set. We are using the NAT traversal feature on the Nortel client. The router is configured to allow out ports UDP 500 and UDP 10001. I believe both the client and VPN concentrator need to be configured for NAT traversal.
As long as you are using recent PIX code I would assume a PIX configured the same would work.
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide