Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Nortel VPN clients

I'm running a PIX and one of my internal users needs to VPN to an external customer's site where they use a Contivity. The nortel docs they sent me were useless, so I'm looking for someone with knowledge of what ports/protocols I need to permit so this user can connect to the remote VPN gateway.

I have tried permitting GRE (like Microsoft PPTP) and this had no effect.

6 REPLIES
Community Member

Re: Nortel VPN clients

Nortel users the IPsec protocol std. you have to allow AH & ESP ports 50&51 as well as IKE. You may want to look into some papers on IPsec to find more specifics. hope this helped alittle

Community Member

Re: Nortel VPN clients

Protocol 50

Protocol 51

udp port 500

Community Member

Re: Nortel VPN clients

Permitting ESP (protocol 50) and isakmp (UDP 500) fixed it, thanks all.

Community Member

Re: Nortel VPN clients

Are you running PAT? If so, opening IP ports 50 and 51 won't work because these are not TCP and UDP based, and therefore have no user ports to keep track of in the PIX (it can't really do a translation table on these).

If you are using NAT with a static, I recommend that you turn off AH on the Nortel end if it's enabled (although it's probably not an issue).

You will have to see if the Nortel supports IPSec over NAT/PAT, which allows the packets to be sent over TCP or UDP.

Hope this helps.

Community Member

Re: Nortel VPN clients

I have a PIX 501 set up pretty much the way it comes out of the box accept for a few static entries and an access-list to allow access to my web server. I have only 1 client on the inside that needs to be able to connect to a contivity box with the nortel client. How do I set up the pix to allow this client through? I tried to add entries to my access-list for protocol 50 and 51 as well as udp port 500 and nothing. Do I set this up on the outside interface or the inside interface? Can this be done through just adding an access-list or is more complicated than that? Any insight would be greatly appreciated. Remember that this is a PIX 501 because it may make a difference from those using other PIXs

Thanks

Gary

Cisco Employee

Re: Nortel VPN clients

A late reply, but:

IPSEC/ESP and PPTP with overloaded addresses on PIX is not supported yet (expected in 6.3 PIX). Instead, set the contivity to do IPSEC over UDP.

A Nortel customer reports: Using a Contivity ES1500D, the suggested version of code to use is V04_06.120, The 'NAT traversal' feature is available on all version 4 codes and the 128MB of RAM is recommended by the vendor. There's no add on cost for this option or the version 4 code, as long as you have a software contract with Nortel. After upgrading, a new section is added under Services --> IPSEC --> NAT Traversal. The only option is to enable it (default is disable) and specify a UDP port number (that's unused in your private network, eg 10000).

187
Views
0
Helpful
6
Replies
CreatePlease to create content