Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nortel VPN access through my PIX 501

I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow connections to my web server. I have only 1 client on the inside that needs to be able to VPN to a Contivity box with the Nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding entries to my access-list or is it more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIX's. One more thing, my PIX has a DHCP address on the external interface.



  • Other Security Subjects
Cisco Employee

Re: Nortel VPN access through my PIX 501

If you're doing PAT on this 501 then you should be able to at least build a tunnel, but then you probably won't be able to pass traffic. PAT and IPSec don't work well together. If you have a spare external IP address (doubtful since you're doing DHCP), then you could set up a static for your internal VPN client machine and then it should work fine. Alternatively, if the Nortel supports some sort of IPSec encapsulation into a TCP or UDP packet, then if you enable that it all should work even with a PAT config on the 501.

What errors do you see on the 501 if you enable syslogging? That may give us a better indication of what's going on.

This widget could not be displayed.