IP Protocols 50 & 51 through ASA Firewall for Nortel VPN Client

shaw.chris · ‎11-14-2008

Hi,

I need to allow protocols 50 & 51 (AH & ESP) through our ASA 5505 Firewall so that our Nortel VPN Client will connect to a remote network.

Can you tell me how I go about this please, are there inspect rules I can add?

There are also UDP ports I need to allow, but I believe UDP is allowed anyway by the implicit allow rule?

Does this implict outgoing rule "allow all IP to any less secure network" on the ASA only include UDP and TCP? can someone confirm this please.

Regards,

Chris

andrew.prince · ‎11-14-2008

Chris,

A few questions:-

1) Are you performing NAT for the Nortel VPN concentrator?

2) Are you using any non-standard NAT-T ports?

3) if the answer to question 1 is yes - you cannot use AH - protocol 51

4) Is the Nortel device in a DMZ or just on the internal network?

HTH>

shaw.chris · ‎11-14-2008

Hi, thanks for the quick reply,

I'm unsure about some of those questions, but we have a Software Nortel VPN Client installed on a couple of laptops which need to connect to a remote network.

Looking at the documentation, I require Protocol 50, 51 and UDP 500 allowed on the Firewall.

I have NAT set up to translate our one External IP address to multiple 192.168.0.0/24 addresses on the inside.

Could you please also confirm that by default only TCP & UDP is allowed out from the inside on an ASA firewall

Thanks, Chris

andrew.prince · ‎11-14-2008

Chris,

As the machines that require to connect to a remote Nortel device, then you only need to make changes to your firewall if you are filtering from the "inside" to the "outside"....which typically most people are not.

Typically in a ASA any "IP" is allowed from a higher security interface to a lower security interface. I say "IP" as this is protocol number 4. Having said that protocl 50 & 51 (ESP & AH) will also be allowed if you are not filtering.

So basically from your site to the remote site should work.

HTH>

shaw.chris · ‎11-14-2008

Thanks,

This is what I don't understand,

What does the implicit allow rule from Inside-Outside let through on the ASA?

From your response ESP and AH will also be allowed as well as TCP/UDP but a protocol such as ICMP does not work until I put an inspect rule.

How do I know what is let through and what isn't ?

Thanks,

Chris

andrew.prince · ‎11-14-2008

Chris,

The reason why ICMP does not respond is it's not "stateful" until you tell the device to inspect it. If you do not want to inspect it, just write an acl for the outside interface allowing which ever icmp types to return into the outside interface.

To know what is allowed and not, the below rules apply:-

1) There is an implicit deny all at the end of EVERY access-list

2) ALL traffic is allowed from a higher security interface to a lower security interface

3) To allow traffic originating from a lower security interface to a higher security interface you need to permit it with an ACL.

Also check your logs....logging is your friend.

HTH>

shaw.chris · ‎11-14-2008

Thanks again for your help,

Chris

risenshine4th · ‎11-14-2008

Post the logs if you have trouble.

Also, Check that the firewalls on the PC are disabled. Sometimes Norton and McCaffe and others will block returing IPSec Traffic.

John

imuonagor · ‎08-26-2009

Hi I don't know if you finally worked around this issue but i'm having the same in my office.

We were not using firewall before and Nortel VPN clients on PCs work well. Then i install a PIX 515 firewall and the VPN will connect then after a little time it disconnects.

Please let me know how you resolved the issue in your network. Thanks a bunch!