From: Kelly Cobean (kcobean@earthlink.net)
Date: Mon Feb 03 2003 - 19:42:22 GMT-3
Actually, you don't have to have a static translation for the internal
client if you're using a PIX. We just implemented a PIX for this very
reason. We have LOTS of people coming into our building with the Nortel
client on their laptops, and we were getting REALLY tired of setting up
static translations on our Checkpoint Firewall, so we bought a PIX because
it supports NAT pools. Here's our relevant config...192.168.244.35 and
192.168.244.51 are the VPN Gateways on the outside interface.
access-list XXX_access_in permit ah host 192.168.244.35 any
access-list XXX_access_in permit esp host 192.168.244.35 any
access-list XXX_access_in permit udp host 192.168.244.35 eq isakmp any eq
isakmp
access-list XXX_access_in permit ah host 192.168.244.51 any
access-list XXX_access_in permit esp host 192.168.244.51 any
access-list XXX_access_in permit udp host 192.168.244.51 eq isakmp any eq
isakmp
HTH,
Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Chuck Church
Sent: Friday, January 31, 2003 1:49 PM
To: Wright, Jeremy; security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Re: Nortel Contivity Client On PC Behind PIX
Jeremy,
I did this about 18 months ago for a client. Not sure if Nortel has
changed anything, but I had:
ip nat inside source static 192.168.2.77 x.x.104.244
access-list 101 permit tcp any any range 8003 8004
access-list 101 permit udp any any range 8003 8004
access-list 101 permit udp any any eq isakmp
access-list 101 permit ahp any any
access-list 101 permit esp any any
This was on a router, but it should apply to Pix as well. It's IPSec, so
you need a static nat for the internal VPN client. I think all these access
rules were needed as well. ACL 101 is on outside interface, inbound.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Wright, Jeremy" <wright@admworld.com>
To: <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, January 31, 2003 12:28 PM
Subject: OT: Nortel Contivity Client On PC Behind PIX
> Does anyone have a sample config that shows a PC with Nortel Contivity VPN
> software on it establishing a VPN through a PIX to an outside destination?
> (Meaning a sample of the PIX config)
>
>
>
>
>
>
>
>
>
>
> ************************
> Jeremy Wright
> Network Analyst
> Archer Daniels Midland
> ja_wright@admworld.com
> (217)451-4063
>
> ************************
>
>
>
> CONFIDENTIALITY NOTICE:
>
> This message is intended for the use of the individual or entity to
> which it is addressed and may contain information that is privileged,
> confidential and exempt from disclosure under applicable law. If the
reader
> of this message is not the intended recipient or the employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that any dissemination, distribution or copying of this
> communication is strictly prohibited.
> If you have received this communication in error, please notify us
> immediately by email reply or by telephone and immediately delete this
> message and any attachments. In the U.S. call us toll free at (800)
> 637-5843.
> .
.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:04 GMT-3