Commands required to enable Nortel Contivity client through Pix firewall

Unanswered Question
Mar 20th, 2003
User Badges:

We have a group of clients working inside of our facility who need to access

their office network using the Nortel Contivity Vpn software through our Pix

firewall and have requested that we make the required configuration changes

to our Pix device to allow these connections.


The following is a suggested firewall configuration to allow the Extranet connection:

Protocol 17 (UDP) source + destination port of 500 must be open

Protocol 50 (ESP) must be open both inbound and outbound, port NA

Protocol 51 (AH) must be open both inbound and outbound, port NA


Additionally if you are doing NAT or anything in between the customer and our end

point is using NAT, you will need UDP port 4500 outbound open from your system to the

Extranet server (x.x.x.x). This takes the place of protocols 50 and 51.


Can anyone instruct us as to what commands need to be issued to our Pix device to enable these connections?


Thanks in advance for your cooperation.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

There is no surefire way for us to tell you - by default PIXen allow all traffic outbound, and nothing in (only that traffic in which is returning as part of a stateful connection). You may have an outbound access list limiting what can go out. We really would need to see a configuration to say for certain.


That said, I would try having them enable the IPSec thru UDP feature on the software client, regardless of whether you are using NAT. This encapsulation feature might be enough to get them working - since they are initiating the outbound commo, on the default pix configuration should allow that out, and then all the return traffic should be allowed in.

Actions

This Discussion