Security Basics mailing list archives
RE: Nortel Contivity VPN and Firewalls
From: "Rudiger Lenz" <rlenz () upandrun de>
Date: Mon, 18 Aug 2003 14:38:14 +0200
Just one comment, if you use or better the client and GW decide that NAT-T (Nat traversal) has to be used you also need to open the higher UDP ports i.e. 4500...what ever is configured on the GW....or force it then you need only UDP 500 and 4500 etc no ESP or AH (IP 50/51) because even the ESP packets will travel via the NAT-T UDP port i.e. 4500.... hope this helps -----Original Message----- From: Peter Van Eeckhoutte [mailto:peter.ve () pandora be] Sent: Freitag, 15. August 2003 13:49 To: Leonard.Ong () nokia com; SecurityBasics Subject: Re: Nortel Contivity VPN and Firewalls I don't think you need tcp 57... only UDP 500, and IP protocol 50 and/or 51 (depending on if you are using ESP (I think that is the default setting with Nortel) or AH) ----- Original Message ----- From: <Leonard.Ong () nokia com> To: <Henry.Won () jda com>; <security-basics () securityfocus com> Sent: Thursday, August 14, 2003 5:26 AM Subject: RE: Nortel Contivity VPN and Firewalls Hello All, Thanks for your inputs on allowing Nortel VPN. Basically the simplified version would be : Host in Extranet -> Firewall -> Internet -> Nortel VPN Gateway Now, we need to have a correct ports open on Firewall. From the inputs I've received so far : a. UDP 500 b. IP Protocol 50 c. TCP 57 Did I miss something ? Regards, Leonard
-----Original Message----- From: ext Henry Won [mailto:Henry.Won () jda com] Sent: Thursday, August 14, 2003 12:13 AM To: Ong Leonard (NBI/Singapore); security-basics () securityfocus com Subject: RE: Nortel Contivity VPN and Firewalls Assuming your clients are trying to connect to Contivity box outside the firewall, you probably need to map global ip to local ip for whomever trying to connect as well as allowing inbound ESP. Henry
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.509 / Virus Database: 306 - Release Date: 12.08.2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.510 / Virus Database: 307 - Release Date: 14.08.2003 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Nortel Contivity VPN and Firewalls Leonard.Ong (Aug 13)
- RE: Nortel Contivity VPN and Firewalls Chris DeVoney (Aug 13)
- RE: Nortel Contivity VPN and Firewalls Seva Batkin (Aug 13)
- <Possible follow-ups>
- RE: Nortel Contivity VPN and Firewalls Henry Won (Aug 13)
- Re: Nortel Contivity VPN and Firewalls Scott Davis (Aug 13)
- Re: Nortel Contivity VPN and Firewalls Jiang Peng (Aug 14)
- RE: Nortel Contivity VPN and Firewalls DeGennaro, Gregory (Aug 13)
- RE: Nortel Contivity VPN and Firewalls Jac (Aug 14)
- RE: Nortel Contivity VPN and Firewalls Leonard.Ong (Aug 14)
- Re: Nortel Contivity VPN and Firewalls Peter Van Eeckhoutte (Aug 15)
- RE: Nortel Contivity VPN and Firewalls Rudiger Lenz (Aug 18)
- Re: Nortel Contivity VPN and Firewalls Peter Van Eeckhoutte (Aug 15)
- RE: Nortel Contivity VPN and Firewalls DeGennaro, Gregory (Aug 14)