Allow Nortel Contivity Client from behind PIX515 1

[caffinator]

Hello, can anyone get me pointed in the right direction please? I need to allow my users to use Nortel Contivity VPN Client to access customer site from behind our PIX515. Can someone please tell me what modifications are needed to config to allow this. We currently have 3 remote sites connected by PIX to PIX vpn which works great. This is the first time to allow vpn using client on pc's. Any help you can provide will be greatly appreciated!

 

[yizhar]

HI.

What does Nortel use? Is it IPSec?
Check the Nortel documentations for ports you need to open.
For many VPN solutions, you will also need a STATIC mapping of a registered ip address to the workstation with the VPN client, in addition to ACCESS-LIST on the outside interface to open the required ports.

I do not have any experience with Nortel VPN. What I wrote above is based on experience with either Cisco PIX vpn and with PPTP via the pix.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[caffinator]

Thanks for your reply. I will find out the ports that need to be opened and post them here for others. Yes Nortel does use IPSEC. I will post other info as I learn of it. Again, thanks!!

 

[yizhar]

HI.

Most basic IPSec implementations use the following:

UDP port 500 (isakmp)
IP protocol 50 (esp)
But some vendors or some configurations use additional ports/protocols.

So a pix configuration for IPSec passthrough would be similar to this:

static (inside,outside) registeredip privateip
access-list fromoutside permit udp host VPNSERVER host registeredip eq 500
access-list fromoutside permit esp host VPNSERVER host registeredip
....
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[caffinator]

I will give your suggestions a try and will let you know how successful (or unsuccessful) I am Thanks!!

 

[caffinator]

Your suggestions have worked. I also needed to add static routes for pc which need to use Contivity. This brings me to another problem. When using the Contivity VPN client, all other addresses become unseen. For instance we run Lotus Sametime which connects via external server. This connection is lost when connected to Contivity VPN. Nothing inside my network can be seen when using Contivity. I will continue researching, all suggestions are welcome!

 

[yizhar]

HI.

This is probably by design.
Many VPN solutions (including Cisco) have a configurable option to block any other traffic when the VPN tunnel is up, for security reasons - to prevent a remote hacker from using a VPN client as a proxy to get to the main network.

The configuration of this option is probably at the VPN server.

Consult the Nortel VPN server administrator about this issue, and also the Nortel docs.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[wjonline1]

This info is great.

But from what you have said this solution is only good for static NAT

I only have one Public IP and need to use PAT
so I suppose I need to do some port mapping,
my inside interface allows all traffic out so I am only worried about return traffic.

can this be done?

thanks

 

[jcjohnston]

I have to do the same thing. I have limited number of public IPs but must set up multiple NATed users to use the Nortel VPN client through a PIX 515. Is there any way to do this without having to have a static mapped public IP for each user?

 

[tbissett]

Try upgrading to OS ver 6.3, then use the following command:

fixup protocol esp-ike

This command was added to 6.3 to allow VPN connections through PAT addresses

 

[yizhar]

HI.

You can check with Nortel experts - maybe there is a NAT-Traversal option for Nortel VPN that can solve it.
There are other options, for example using some kind of proxy or nat device that will establish VPN connections on behalf of internal clients.
For example - using a W2K Terminal Server with VPN client and the needed client software.

> fixup protocol esp-ike
As far as I think - it supports only a single tunnel at a time, but I'm not sure about it, and I didn't check.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[wjonline1]

I have added the fixup protoocol esp-ike

this states that only supports one tunnel at a time , which is fine

what I am intertested in are the ports I need to redirect using PAT, or do all connections start from client outwards ( thus automatically creating inbound access using the esp-ike fixup??)

because it still doesnt seem to work

 

[jcjohnston]

We upgraded the clients to version 4.15 of the Nortel VPN client and now we can have multiple users going out through a PIX using PAT. Thanks everyone for your help. (also upgraded PIX to 6.3.2 but I don't know if that made a difference)

 

[yizhar]

HI.

> what I am intertested in are the ports I need to redirect using PAT,
You do not need to redirect ports, but you need to allow the ports/protocols used by your VPN on the outside interface (in your access-list).
The common IPSec implementation uses UDP 500 + ESP (IP protocol 50), but check this with your Nortel docs.
You can also use syslog messages to see what traffic is blocked by the pix.

> We upgraded the clients to version 4.15 of the Nortel VPN client and now we can have multiple users
So that is probably the best solution for other.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Taodaddy]

This is very much the issue I have as well, but my situation is with a Cisco 804 ISDN Router using the 12.22T IOS with IP Firewall & IPSec feature set.
Can anyone advise me on how to pass the Contivity session through the router using NAT? (routable IP address is not really an option)

Thanks

 

[wjonline1]

ok got it working

i added the fixup line and I also added an entry on my inbound access list for my outside interface to allow udp 500 and esp in

works a treat

many thanks