Re: PIX 515 with nortel vpn contivity client behind
If the Nortel client is not doing any sort of UDP/TCP encapsulation, you'll need to create static translations for these, since native IPSec and PAT don't play well together. After creating the static's, you'll also have to allow ESP back into the PIX since the PIX won't allow this back in by default (like it does with TCP/UDP traffic)". Something like the following (assuming inside hosts are 10.1.1.1-10.1.1.3):
If however, you can do TCP/UDP encapsulation of the IPSec packets, then you shouldn't need to do anything. The clients will build a tunnel using UDP/500 which will be allowed out and back in by default, and then the data will be transferred over whatever TCP/UDP port Nortel uses. This will also be allowed out and back in by default.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...