Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
1
Replies

PIX 515 with nortel vpn contivity client behind

cmelbourne
Level 1
Level 1

‎12-10-2003 03:33 AM

I have a pix 515e and have a few pc's on the lan on the inside interface that need to run nortel contivity vpn client from the pc through the pix and out to a certain site.

does anyone know how to do this ?

I am running pix version 6.2(3)

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎12-11-2003 03:31 PM

If the Nortel client is not doing any sort of UDP/TCP encapsulation, you'll need to create static translations for these, since native IPSec and PAT don't play well together. After creating the static's, you'll also have to allow ESP back into the PIX since the PIX won't allow this back in by default (like it does with TCP/UDP traffic)". Something like the following (assuming inside hosts are 10.1.1.1-10.1.1.3):

static (inside,outside) 50.50.50.1 10.1.1.1

static (inside,outside) 50.50.50.2 10.1.1.2

static (inside,outside) 50.50.50.3 10.1.1.3

access-list inbound permit esp host host 50.50.50.1

access-list inbound permit esp host host 50.50.50.2

access-list inbound permit esp host host 50.50.50.3

access-group inbound in interface outside

If however, you can do TCP/UDP encapsulation of the IPSec packets, then you shouldn't need to do anything. The clients will build a tunnel using UDP/500 which will be allowed out and back in by default, and then the data will be transferred over whatever TCP/UDP port Nortel uses. This will also be allowed out and back in by default.

0 Helpful
Customers Also Viewed These Support Documents