Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Nortel VPN clients

Unanswered Question
Apr 24th, 2002
User Badges:

I'm running a PIX and one of my internal users needs to VPN to an external customer's site where they use a Contivity. The nortel docs they sent me were useless, so I'm looking for someone with knowledge of what ports/protocols I need to permit so this user can connect to the remote VPN gateway.

I have tried permitting GRE (like Microsoft PPTP) and this had no effect.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jgwiesner Thu, 04/25/2002 - 09:46
User Badges:

Permitting ESP (protocol 50) and isakmp (UDP 500) fixed it, thanks all.

mklaphek Wed, 04/24/2002 - 13:24
User Badges:

Are you running PAT? If so, opening IP ports 50 and 51 won't work because these are not TCP and UDP based, and therefore have no user ports to keep track of in the PIX (it can't really do a translation table on these).

If you are using NAT with a static, I recommend that you turn off AH on the Nortel end if it's enabled (although it's probably not an issue).

You will have to see if the Nortel supports IPSec over NAT/PAT, which allows the packets to be sent over TCP or UDP.

Hope this helps.

gwnoyes Wed, 09/11/2002 - 10:19
User Badges:

I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow access to my web server. I have only 1 client on the inside that needs to be able to connect to a contivity box with the nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding an access-list or is more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIXs



Phillip Remaker Thu, 09/12/2002 - 11:14
User Badges:
  • Cisco Employee,

A late reply, but:

IPSEC/ESP and PPTP with overloaded addresses on PIX is not supported yet (expected in 6.3 PIX). Instead, set the contivity to do IPSEC over UDP.

A Nortel customer reports: Using a Contivity ES1500D, the suggested version of code to use is V04_06.120, The 'NAT traversal' feature is available on all version 4 codes and the 128MB of RAM is recommended by the vendor. There's no add on cost for this option or the version 4 code, as long as you have a software contract with Nortel. After upgrading, a new section is added under Services --> IPSEC --> NAT Traversal. The only option is to enable it (default is disable) and specify a UDP port number (that's unused in your private network, eg 10000).


This Discussion