RE: Nortel Contivity Client On PC Behind PIX

From: tsiartas@ameritech.net
Date: Tue Feb 04 2003 - 12:53:54 GMT-3

• Next message: Jeff Kesemeyer: "RE: QUESTION FOR THE FORUM"
• Previous message: Knut Schubert: "Re[2]: CCIE Self-Employment"
• Maybe in reply to: Kelly Cobean: "RE: Nortel Contivity Client On PC Behind PIX"
• Next in thread: Perrymon, Josh L.: "RE: Nortel Contivity Client On PC Behind PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Check with your contivity documentation and the version of the client, I
am using the latest and it supports "IPsec Nat traversal" which can do
ISAKAMP on higher ports, not just 500. I have seen my client connect at
10500 port.

t

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chuck Church
Sent: Monday, February 03, 2003 8:25 PM
To: Kelly Cobean; ccielab
Subject: Re: Nortel Contivity Client On PC Behind PIX

Yes, I was a little incorrect on that one. What I meant to say was that
it
wouldn't work with PAT (1 to many translation). Any 1-1 translation
(dynamic or static) will work. So a good way to do it is to reserve a
VLAN
for VPN client users, and make sure the pool for this VLAN is all 1-1
translations. That's how I've done a couple sites and it works pretty
well.

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Kelly Cobean" <kcobean@earthlink.net>
To: "Chuck Church" <ccie8776@rochester.rr.com>; "ccielab"
<ccielab@groupstudy.com>
Sent: Monday, February 03, 2003 5:42 PM
Subject: RE: Nortel Contivity Client On PC Behind PIX

> Actually, you don't have to have a static translation for the internal
> client if you're using a PIX. We just implemented a PIX for this very
> reason. We have LOTS of people coming into our building with the
Nortel
> client on their laptops, and we were getting REALLY tired of setting
up
> static translations on our Checkpoint Firewall, so we bought a PIX
because
> it supports NAT pools. Here's our relevant config...192.168.244.35
and
> 192.168.244.51 are the VPN Gateways on the outside interface.
>
>
> access-list XXX_access_in permit ah host 192.168.244.35 any
> access-list XXX_access_in permit esp host 192.168.244.35 any
> access-list XXX_access_in permit udp host 192.168.244.35 eq isakmp any
eq
> isakmp
> access-list XXX_access_in permit ah host 192.168.244.51 any
> access-list XXX_access_in permit esp host 192.168.244.51 any
> access-list XXX_access_in permit udp host 192.168.244.51 eq isakmp any
eq
> isakmp
>
>
> HTH,
> Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Chuck Church
> Sent: Friday, January 31, 2003 1:49 PM
> To: Wright, Jeremy; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Re: Nortel Contivity Client On PC Behind PIX
>
>
> Jeremy,
>
> I did this about 18 months ago for a client. Not sure if Nortel
has
> changed anything, but I had:
>
> ip nat inside source static 192.168.2.77 x.x.104.244
>
> access-list 101 permit tcp any any range 8003 8004
> access-list 101 permit udp any any range 8003 8004
> access-list 101 permit udp any any eq isakmp
> access-list 101 permit ahp any any
> access-list 101 permit esp any any
>
> This was on a router, but it should apply to Pix as well. It's IPSec,
so
> you need a static nat for the internal VPN client. I think all these
access
> rules were needed as well. ACL 101 is on outside interface, inbound.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "Wright, Jeremy" <wright@admworld.com>
> To: <security@groupstudy.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Friday, January 31, 2003 12:28 PM
> Subject: OT: Nortel Contivity Client On PC Behind PIX
>
>
> > Does anyone have a sample config that shows a PC with Nortel
Contivity
VPN
> > software on it establishing a VPN through a PIX to an outside
destination?
> > (Meaning a sample of the PIX config)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ************************
> > Jeremy Wright
> > Network Analyst
> > Archer Daniels Midland
> > ja_wright@admworld.com
> > (217)451-4063
> >
> > ************************
> >
> >
> >
> > CONFIDENTIALITY NOTICE:
> >
> > This message is intended for the use of the individual or entity to
> > which it is addressed and may contain information that is
privileged,
> > confidential and exempt from disclosure under applicable law. If
the
> reader
> > of this message is not the intended recipient or the employee or
agent
> > responsible for delivering this message to the intended recipient,
you
are
> > hereby notified that any dissemination, distribution or copying of
this
> > communication is strictly prohibited.
> > If you have received this communication in error, please notify us
> > immediately by email reply or by telephone and immediately delete
this
> > message and any attachments. In the U.S. call us toll free at (800)
> > 637-5843.
> > .
> .
> .
.
.

• Next message: Jeff Kesemeyer: "RE: QUESTION FOR THE FORUM"
• Previous message: Knut Schubert: "Re[2]: CCIE Self-Employment"
• Maybe in reply to: Kelly Cobean: "RE: Nortel Contivity Client On PC Behind PIX"
• Next in thread: Perrymon, Josh L.: "RE: Nortel Contivity Client On PC Behind PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:07 GMT-3