Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
0
Helpful
6
Replies

Nortel VPN clients

jgwiesner
Level 1
Level 1

‎04-24-2002 03:44 AM - edited ‎02-21-2020 11:42 AM

I'm running a PIX and one of my internal users needs to VPN to an external customer's site where they use a Contivity. The nortel docs they sent me were useless, so I'm looking for someone with knowledge of what ports/protocols I need to permit so this user can connect to the remote VPN gateway.

I have tried permitting GRE (like Microsoft PPTP) and this had no effect.

Labels:
0 Helpful
6 Replies 6

jletend
Level 1
Level 1

‎04-24-2002 04:10 AM

Nortel users the IPsec protocol std. you have to allow AH & ESP ports 50&51 as well as IKE. You may want to look into some papers on IPsec to find more specifics. hope this helped alittle

0 Helpful

gfesler
Level 1
Level 1
In response to jletend

‎04-24-2002 08:20 AM

Protocol 50

Protocol 51

udp port 500

0 Helpful

jgwiesner
Level 1
Level 1
In response to gfesler

‎04-25-2002 09:46 AM

Permitting ESP (protocol 50) and isakmp (UDP 500) fixed it, thanks all.

0 Helpful

mklaphek
Level 1
Level 1

‎04-24-2002 01:24 PM

Are you running PAT? If so, opening IP ports 50 and 51 won't work because these are not TCP and UDP based, and therefore have no user ports to keep track of in the PIX (it can't really do a translation table on these).

If you are using NAT with a static, I recommend that you turn off AH on the Nortel end if it's enabled (although it's probably not an issue).

You will have to see if the Nortel supports IPSec over NAT/PAT, which allows the packets to be sent over TCP or UDP.

Hope this helps.

0 Helpful

gwnoyes
Level 1
Level 1
In response to mklaphek

‎09-11-2002 10:19 AM

I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow access to my web server. I have only 1 client on the inside that needs to be able to connect to a contivity box with the nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding an access-list or is more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIXs

Thanks

Gary

0 Helpful

Phillip Remaker
Cisco Employee
Cisco Employee

‎09-12-2002 11:14 AM

A late reply, but:

IPSEC/ESP and PPTP with overloaded addresses on PIX is not supported yet (expected in 6.3 PIX). Instead, set the contivity to do IPSEC over UDP.

A Nortel customer reports: Using a Contivity ES1500D, the suggested version of code to use is V04_06.120, The 'NAT traversal' feature is available on all version 4 codes and the 128MB of RAM is recommended by the vendor. There's no add on cost for this option or the version 4 code, as long as you have a software contract with Nortel. After upgrading, a new section is added under Services --> IPSEC --> NAT Traversal. The only option is to enable it (default is disable) and specify a UDP port number (that's unused in your private network, eg 10000).

0 Helpful
Customers Also Viewed These Support Documents