Re: Nortel VPN client behind PIX 515

Discussion in 'Cisco' started by J. Bias, Apr 30, 2004.

  1. J. Bias

    J. Bias Guest

    Kinda green at this, but seems like a good place to post a question.

    Have a PIX 515 with old software on it (5.0.(3)). Have various user
    who want to connect to external networks using both Nortel VPN client
    and PPTP, (depends on who and where they're connecting to. some ar
    vendors, some are visitors.). Currently the PIX won't pass eithe
    traffic. IPSEC gets host not responding and PPTP clients get a por
    error.

    If I use Ethereal to watch some of the exchange, the PPTP clients don'
    get the GRE reply from the endpoint.

    The IPSEC clients don't get anywhere. There's an ISAKMP UDP frame fro
    host to end point on port 500, but no response from endpoint.

    So... I guess my question is,

    1. Do I want to open this up without doing a software upgrade first.

    2. If I don't need to do an upgrade, how would I structure thi
    statement.

    3. Should I control the endpoints that users have access to or shoul
    I just open this up so that it works globally from any internal host t
    any external endpoint.

    Thanks for any insight.

    J


    -
    J. Bia
    -----------------------------------------------------------------------
    Posted via http://www.mcse.m
    -----------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message625479.htm
    J. Bias, Apr 30, 2004
    #1
    1. Advertising

  2. In article <>,
    J. Bias <> wrote:
    :Have a PIX 515 with old software on it (5.0.(3)). Have various users
    :who want to connect to external networks using both Nortel VPN clients
    :and PPTP, (depends on who and where they're connecting to. some are
    :vendors, some are visitors.). Currently the PIX won't pass either
    :traffic. IPSEC gets host not responding and PPTP clients get a port
    :error.

    :If I use Ethereal to watch some of the exchange, the PPTP clients don't
    :get the GRE reply from the endpoint.

    :The IPSEC clients don't get anywhere. There's an ISAKMP UDP frame from
    :host to end point on port 500, but no response from endpoint.

    If you are doing one-to-one static mapping, with each
    internal IP having a unique public IP, pass-through should
    work (in theory) at 5.0.(3).

    If you are using PAT, you will not be able to get any of this to
    work unless you update to at least 6.3(1), preferably 6.3(3).

    You -might- be able to get it to work using a nat/global pair
    in which the global statement specifies a range of addresses
    at least as large as the number of internal hosts that ever go out
    simultaneously -- so that at any given moment, a particular internal
    host effectively has a unique external IP.

    It sounds as if you are not permitting through ESP (IP protocol 50),
    AH (IP protocol 51), and GRE (IP protocol 47). PIX 5.0(3) does not,
    as far as I can recall, treat these protocols as having "connections",
    so the Adaptive Security Algorithm will *not* automatically permit
    replies to outgoing ESP, AH, or GRE.


    You probably want 6.3, so that you can use NAT Traversal, which should
    make it a lot easier for the IPSec clients to pass-through (provided
    NAT-T is supported at the other end.) You can use PAT with NAT-T.
    Multiple PPTP pass-through with PAT is still a problem though.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
    Walter Roberson, Apr 30, 2004
    #2
    1. Advertising

  3. "J. Bias" <> wrote in message
    news:...
    > Have a PIX 515 with old software on it (5.0.(3)). Have various users
    > who want to connect to external networks using both Nortel VPN clients
    > and PPTP, (depends on who and where they're connecting to. some are
    > vendors, some are visitors.). Currently the PIX won't pass either
    > traffic. IPSEC gets host not responding and PPTP clients get a port
    > error.



    PIX needs at least 6.3 to handle IPSEC/ESP packets with NAT overloaded to a
    single address (I assume you do NAT) and then it can only handle one
    session.


    > If I use Ethereal to watch some of the exchange, the PPTP clients don't
    > get the GRE reply from the endpoint.


    With that version you are no-go.

    http://www.cisco.com/warp/public/110/pix_pptp.html

    > 1. Do I want to open this up without doing a software upgrade first.



    With the Nortel, the newer Nortel Software supoorts "NAT-T" (UDP 4500) which
    should work great. If you can get the servers to support NAT-T and the
    newer clients, the Nortel problem goes away.

    I'm not sure about 5.x, but some PIX versions will allow IPSEC or GRE with
    *pools* of addresses instead of a single address. Don't know if that is an
    option.

    > 2. If I don't need to do an upgrade, how would I structure this
    > statement.


    See above.

    > 3. Should I control the endpoints that users have access to or should
    > I just open this up so that it works globally from any internal host to
    > any external endpoint.


    Are these NATted endpoints?
    Phillip Remaker, May 1, 2004
    #3
  4. J. Bias

    J. Bias Guest

    Thanks for the info guys.

    I'm not sure I follow on the NAT'd endpoints question(?). Only NA
    statement I can see in the config is:

    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0


    and the global statement to the outside address, but nothing else.
    have to do some reading, this is a bit confusing. I think I understan
    what you're getting at though.

    I'm guessing that a software upgrade is probably the best route at th
    moment.

    On the Nortel client side, I'll see if I can hunt down the client an
    do some testing.

    Thank you very much. I'm off to break my firewall! :)

    -J


    -
    J. Bia
    -----------------------------------------------------------------------
    Posted via http://www.mcse.m
    -----------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message625479.htm
    J. Bias, May 3, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Strow

    Nortel client behind PIX with PAT

    John Strow, Mar 12, 2005, in forum: Cisco
    Replies:
    0
    Views:
    414
    John Strow
    Mar 12, 2005
  2. John Strow
    Replies:
    0
    Views:
    522
    John Strow
    Mar 16, 2005
  3. Stephen M
    Replies:
    1
    Views:
    630
    mcaissie
    Nov 14, 2006
  4. D K
    Replies:
    4
    Views:
    455
  5. Christoph Gartmann

    VPN-client behind a Pix 515

    Christoph Gartmann, Apr 2, 2008, in forum: Cisco
    Replies:
    1
    Views:
    431
    Scott Townsend
    Apr 2, 2008
Loading...

Share This Page