Thare could be many things that can go wrong. First check the routing part. Are you able to ping and reach these devices without the tunnel. Next would be to check if the PIX is configured correctly. Make sure you have appropriate nat, global, static and access-list commands to allow the required traffic to pass through. Then verify your IPSec configuration.
If there are more then one client then you definetly need NAT-T on the contivity box. In Cisco it is controlled by gateway I am not sure where in Contivity you need to enable it.
When I say UDP500-500 I mean source and destination 500.
When I say UDP any - 4500 I mean source any and destination any.
Why do we require NAT T?
If there is no NAT-T then suppose the client has a dedicated global IP address how will the encapsulation look like when it will leave the client (PC), it will be TCP->IP->ESP->IP. Now suppose the client is behind a PAT device then because it is tunnel mode (every client use tunnel mode they can not use Transport mode) the PAT device infront of the client PC will not be able to make a translation because ESP is port 0 always (it does not have any ports) the packet will be dropped.
How can this be prevented?
We can traverse the NAT by encapsulating the entire packet into a UDP packet (UDP because it is fast TCP can also be used (undefined by RFC)).
If the NAT-T is enabled then the packet which left the PC will look like
TCP->IP->ESP->UDP->IP now the FW in front of the client will have something to create a translation on becuase UDP has ports. And, the destination port is always going to be 4500 (defined by RFC). Because the source port is in control of the intermediate FW it can be random higher no. port.
NAT-T also has features like automatic NAT-D (detection) and NAT keepalives so that the FW should not timeout the translation in case the VPN tunnel is idle.
Thanks. Will check it out. I do not have a problem with a vpn concentrator when trying to vpn through the firewall, but I have enabled NAT-T. The Nortel stuff is out of my reach, but will ask the question. I had opened all the necessary ports both udp 500 and 4500, but was no go.
For turning on fixup, then there would be an issue with site to site tunnelling which may be created on this pix in the future.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...