Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 with nortel vpn contivity client behind

I have a pix 515e and have a few pc's on the lan on the inside interface that need to run nortel contivity vpn client from the pc through the pix and out to a certain site.

does anyone know how to do this ?

I am running pix version 6.2(3)

  • VPN
1 REPLY
Cisco Employee

Re: PIX 515 with nortel vpn contivity client behind

If the Nortel client is not doing any sort of UDP/TCP encapsulation, you'll need to create static translations for these, since native IPSec and PAT don't play well together. After creating the static's, you'll also have to allow ESP back into the PIX since the PIX won't allow this back in by default (like it does with TCP/UDP traffic)". Something like the following (assuming inside hosts are 10.1.1.1-10.1.1.3):

static (inside,outside) 50.50.50.1 10.1.1.1

static (inside,outside) 50.50.50.2 10.1.1.2

static (inside,outside) 50.50.50.3 10.1.1.3

access-list inbound permit esp host host 50.50.50.1

access-list inbound permit esp host host 50.50.50.2

access-list inbound permit esp host host 50.50.50.3

access-group inbound in interface outside

If however, you can do TCP/UDP encapsulation of the IPSec packets, then you shouldn't need to do anything. The clients will build a tunnel using UDP/500 which will be allowed out and back in by default, and then the data will be transferred over whatever TCP/UDP port Nortel uses. This will also be allowed out and back in by default.

184
Views
0
Helpful
1
Replies
This widget could not be displayed.