Contivity VPN from inside Pix

[Nuna3]

Our CFO used Nortel Contivity to VPN to a remote site. Now we changed over to Fibre and put in a PIX 515E, and he cannot connect using Contivity any more. He's connecting through Phase 1, but Phase 2 fails.
I have opened Port 500 (udp), which enabled the Phase 1 to work, but have no idea what to open to enable Phase 2...any ideas?
Nortel's tech mentioned opening protocol esp50, but could not tell me what port that works on...?

Lowell Barkman. MCSE,A+. Network Administrator for the Nunatsiavut Government.

 

[microdude]

I had the same issue with a client. I had to had these to the PIX config; OS 6.3(5):

access-list outside_access_in permit udp any any eq isakmp
access-list outside_access_in permit ah any any
access-list outside_access_in permit esp any any

The Nortel client would then work, but IPSEC VPN to the PIX stopped working.

 

[boymarty24]

If you have installed your pix with no access-lists from inside-->outside you wont need any configuration added.

Otherwise the above is needed. But your ipsec to the pix shouldnt be affected at all. Post your config and mask the public ip´s so we can see whats going on.

 

[Nuna3]

Microdude; tried that; didn't work for me.
boymarty24; no ACL's from inside out. (Someday, when I undrstand this stuff better, ther will be.) When I try to VPN out, the adaptor gets a 22. address momentarily; for about 24 seconds, then loses it. Thanks for the interest.
Here's my sanitized config:

Feb20Pix2

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password cMdDMJ3V4e7ljwK/ encrypted
passwd O53TYzRjGxGspzRe encrypted
hostname hillcrestpix
domain-name nunatsiavut.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol http 2900
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 3306
fixup protocol tftp 69
names
name 192.168.0.3 gisserver
name 192.168.0.24 databaseserver
access-list acl_out permit tcp any host 219.228.52.235 eq www
access-list acl_out permit tcp any host 219.228.52.236 eq www
access-list acl_out permit tcp any host 219.228.52.235 eq https
access-list acl_out permit tcp any host 219.228.52.236 eq ftp
access-list acl_out permit tcp any host 219.228.52.236 eq 3389
access-list acl_out permit tcp any host 219.228.52.236 eq 3307
access-list acl_out permit udp any host 219.228.52.236 eq 443
access-list acl_out permit tcp any host 219.228.52.235 eq 3389
access-list acl_out permit udp any any eq isakmp
access-list acl_out permit udp any any eq 4500
access-list acl_out permit tcp any any eq 500
access-list acl_out permit ah any any
access-list acl_out permit esp any any
access-list acl_dmz permit tcp host gisserver any eq https
access-list acl_dmz permit tcp host databaseserver any eq www
access-list acl_dmz permit tcp host gisserver any eq www
access-list acl_dmz permit tcp host gisserver any eq 3306
access-list acl_dmz permit tcp host databaseserver any eq 3389
access-list acl_dmz permit tcp host databaseserver any eq ftp
access-list acl_dmz permit tcp host databaseserver any eq 3307
access-list acl_dmz permit udp host databaseserver any eq domain
access-list acl_dmz permit udp host gisserver any eq domain
access-list acl_dmz permit udp host databaseserver any eq 443
access-list acl_dmz permit tcp host gisserver any eq 3389
access-list acl_dmz permit tcp host gisserver any eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 219.228.52.234 255.255.255.248
ip address inside 10.10.2.1 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
rp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 219.228.52.235 gisserver netmask 255.255.255.255 0 0
static (dmz,outside) 219.228.52.236 databaseserver netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.2.0 10.10.2.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 219.228.52.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 60
dhcpd address 10.10.2.10-10.10.2.199 inside
dhcpd address 192.168.0.50-192.168.0.199 dmz
dhcpd dns 142.177.1.2 142.177.129.11
dhcpd lease 344000
dhcpd ping_timeout 750
dhcpd domain nunatsiavut
dhcpd enable inside
terminal width 510
Cryptochecksum:cc335a01d25e3a51feb2cffd161db651
: end


Lowell Barkman. MCSE,A+. Network Administrator for the Nunatsiavut Government.

 

[boymarty24]

Well i am no guru at nortel clients but you can try the fixup command to see if you get any further.

fixup protocol esp-ike

I recommend that you only use this command for testing purpose because it can mess things up . The above command will only allow one ipsec tunnel at the time.

no fixup protocol esp-ike will remove the command.

I was browsing the cisco site and found some information about the same issue. It seems you need to configure the client to run in nat traversal mode ( 500 and 4500 ) cant verify this ( dont have the nortel client ) but it might be worth a try.

 

[Nuna3]

Thanks for weighing in on this one, boymarty24. I tried the fixup protocol, no luck; removed it again.
I have been in touch with Aliant, they are the service provider here, and they have set up NAT traversal mode on their VPN concentrator, or so they say. No difference yet...will keep you informed as things progress.

Lowell Barkman. MCSE,A+. Network Administrator for the Nunatsiavut Government.