I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow connections to my web server. I have only 1 client on the inside that needs to be able to VPN to a Contivity box with the Nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding entries to my access-list or is it more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIX's. One more thing, my PIX has a DHCP address on the external interface.
If you're doing PAT on this 501 then you should be able to at least build a tunnel, but then you probably won't be able to pass traffic. PAT and IPSec don't work well together. If you have a spare external IP address (doubtful since you're doing DHCP), then you could set up a static for your internal VPN client machine and then it should work fine. Alternatively, if the Nortel supports some sort of IPSec encapsulation into a TCP or UDP packet, then if you enable that it all should work even with a PAT config on the 501.
What errors do you see on the 501 if you enable syslogging? That may give us a better indication of what's going on.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...