• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Nortel Contivity through ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: Nortel Contivity through ISA Page: <<   < prev  1 2 [3] 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Nortel Contivity through ISA - 23.May2002 8:55:00 PM   
spyros

 

Posts: 19
Joined: 26.Mar.2002
Status: offline
Thanks Stefaan!

I had done one of the captures before (though I did not keep the capture). Without ISA (i.e., when I was using Linksys instead of ISA), it used UDP/500 and IP 50. However, I gather from the posts above that it can use UDP/10001 instead of IP 50.

Haven't analyzed the ISA logs yet, nor done the netmon trace with ISA. I guess that's next...

Thanks for your help!

ss

[ May 23, 2002, 08:57 PM: Message edited by: Spyros Sakellariadis ]

(in reply to scottamoore)
Post #: 41
RE: Nortel Contivity through ISA - 23.May2002 10:49:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Spyros,

you have said the magic words 'it used UDP/500 and IP 50'. That's not good! [Razz]

I would first get the VPN running *without* ISA but *with* the UDP encapsulated ESP. Once that is working and you verified it with a Network Monitor, then try it through ISA.

HTH,
Stefaan

(in reply to scottamoore)
Post #: 42
RE: Nortel Contivity through ISA - 23.May2002 11:07:00 PM   
spyros

 

Posts: 19
Joined: 26.Mar.2002
Status: offline
Apparently the early Nortel switches only did IP 50 and not UDP encapsulation, but the later ones did. (Not being a Nortel expert, I say "apparently"). In an earlier post in this thread, someone said the server needs to be at ver 4.0. I just found out our server is not at this rev level, so I think I'm OOL for the moment.

I'll try some of the other ideas; also, maybe I'll try to get them to upgrade our server!
Thanks!

ss

(in reply to scottamoore)
Post #: 43
RE: Nortel Contivity through ISA - 23.May2002 11:17:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Spyros,

good to hear the problem is identified. [Wink]

Cheers,
Stefaan

(in reply to scottamoore)
Post #: 44
RE: Nortel Contivity through ISA - 28.May2002 12:13:00 PM   
spyros

 

Posts: 19
Joined: 26.Mar.2002
Status: offline
While waiting for corporate MIS to upgrade the Nortel server, am using a workaround (albeit a miserable one) which I thought I'ld pass on:

I installed the Nortel client on the ISA server itself. To access the corporate Nortel server, I stop the ISA services, establish my VPN, and do my business. Then I logout and restart ISA.

Sucks, but at least I have a way in extremis to get to corporate...

Spyros

(in reply to scottamoore)
Post #: 45
RE: Nortel Contivity through ISA - 28.May2002 9:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Spyros,

indeed it sucks, but it is better than nothing [Big Grin]

Thanks,
Stefaan

(in reply to scottamoore)
Post #: 46
RE: Nortel Contivity through ISA - 29.May2002 7:19:00 PM   
Guest
I have worked through the very same issue. I do not know the version of the remote Nortel server because it is a government site and they were unwilling to give me that information. None the less here is what I had to set up to get it to work.

Protocol Definitions:

UDP port 500 (Send)
UDP port 10000 (Send)

I did not create any protocol rules. However, I did set up some packet filters.

Packet filters

- TCP, Direction = both, local port = ALL, remote port = 10000
- TCP, Direction = both, local port = ALL, remote port = 500
- UDP, Direction = both, local port = Fixed 10000, remote port = 10000
- UDP, Direction = both, local port = Fixed 500, remote port = 500
- Custom , Protocol #50 , Direction = both

I am not sure that this is the best solution but it does work. I am going to do some testing to ensure there is no glaring security holes. But for now it solves my problem.

I hope this helps
Mike
MCSE, MCP+I, CCA

(in reply to scottamoore)
  Post #: 47
RE: Nortel Contivity through ISA - 29.May2002 9:01:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

this is *not* the optimum configuration. I would do it this way:

Create two protocol definitions:
- UDP Port 500 Send Receive : this is for the IKE protocol (key negotiation).
- UDP Port XXXX Send Receive : this is for the UDP encapsulated ESP packets. The administrator of the VPN gateway should be able to tell you the excat portnumber to use.

Next, create a proocol rule who allows those two created protocols.

Finally, get rid of all those ugly packet filters. [Big Grin]

BTW --- I see often that people use packet filters when they are definitely not needed. So, if you don't need them, don't use them! Remember that packet filters are static. On the other hand, protocol rules opens only the necessary port when they are needed (dynamically).

HTH,
Stefaan

(in reply to scottamoore)
Post #: 48
RE: Nortel Contivity through ISA - 30.May2002 1:26:00 AM   
Guest
I had a feeling I would get a response [Eek!] . Before I came to my Band-Aid solution I had attempted your solution and several variations with no success. I would love to axe the packet filters and stick with the more manageable protocol rules, but I have not been able to get that configuration running. From the look of some of the other post I am not alone. I have heard that there may be a trick to the send/receive receive/send combinations that will allow it to run. Unfortunately I donĘt have the ability to test/try any of these combinations as I am using a production ISA server for my testing (Again not ideal, but life is not ideal).

I am just happy to be up and running [Razz]
Mike

(in reply to scottamoore)
  Post #: 49
RE: Nortel Contivity through ISA - 30.May2002 9:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mike,

haha, you are right... I cann't resist. [Big Grin]

Well, I'm pretty sure the recommanded configuration is the good one. You don't need packet filters for that. Look again in the above posts and you will see that Isaac Martinez has got it running that way. Moreover, it is the same basic setup as for a Checkpoint, Cisco, Netscreen, ... VPN client with the NAT traversal feature.

One thing you must keep in mind is that the client must be a SecureNAT client and that the firewall client must be disabled when setting up the VPN connection. Also, when certificates are involved disable filtering of IP fragments on ISA.

HTH,
Stefaan

(in reply to scottamoore)
Post #: 50
RE: Nortel Contivity through ISA - 12.Jul.2002 4:25:00 PM   
scassoc

 

Posts: 5
Joined: 3.Jul.2002
Status: offline
quote:
Originally posted by spouseele:
Hi Scott,

for your information: IP 50 is IP PROTOCOL (not port) number 50 and stands for ESP (IP Encapsulating Security Payload) and is part of the IPSec standard.

Regards,
Stefaan

Its probably starting me in the face but how do I define IP PROTOCOL 50 (ESP) ?

regards,
Simon

(in reply to scottamoore)
Post #: 51
RE: Nortel Contivity through ISA - 12.Jul.2002 6:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Select the custom option in the Packet Filter Wizard. You can create the IP Protocol filter there.

HTH,
Tom

(in reply to scottamoore)
Post #: 52
RE: Nortel Contivity through ISA - 26.Aug.2002 10:00:00 PM   
securityguy75

 

Posts: 9
Joined: 26.Aug.2002
Status: offline
Let me jump on the train and say that this is great reading. I have an ISA server at home as firewall and tried to use VPN through our Notel Contivity switch at corporate without success. I'm going to re-install the client tonight and give it a shot.

(in reply to scottamoore)
Post #: 53
RE: Nortel Contivity through ISA - 27.Aug.2002 1:48:00 AM   
securityguy75

 

Posts: 9
Joined: 26.Aug.2002
Status: offline
Ok guys, disappointing results. It connects half way and dies out when it says "checking for banner text from: xxx.xxx.xxx.xxx (ip address)". It gets an IP and name servers assignment, but the connection times out after the banner text message. Our Nortel switch has the latest firmware and I am using the latest client software trying to reach it from behind ISA server. I opened up UDP port 500 and 10001. It does not matter whether I use SecureNAT or Firewall client software. Neither worked for me. Any thoughts??

(in reply to scottamoore)
Post #: 54
RE: Nortel Contivity through ISA - 27.Aug.2002 9:29:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Security Guy,

and what are the ISA logs telling you?

HTH,
Stefaan

(in reply to scottamoore)
Post #: 55
RE: Nortel Contivity through ISA - 31.Aug.2002 10:37:00 AM   
bcdelozier

 

Posts: 11
Joined: 19.Feb.2002
From: Oklahoma City, OK
Status: offline
Sorry,
You'll have to pardon my frustration. [Mad] My company seems to have an affinity for implementing software that doesn't work with the main streem. (go figure)
Nortel has problems with other protocol construction concerning other things as well. We're tying to upgrade out Cell Relay equipment to new Cisco gear. Well, the Cisco cant talk to out nortel gear because of a poorly constructed protocol stack. This simply fits right in with your theory that it actually isn't Mickeysoft.

Thanks,
[Smile]
Brad

(in reply to scottamoore)
Post #: 56
RE: Nortel Contivity through ISA - 4.Sep.2002 8:22:00 PM   
securityguy75

 

Posts: 9
Joined: 26.Aug.2002
Status: offline
I am sorry that I haven't gotten back to this topic for a while. I gave up a while back because no matter what I tried, nothing worked. I do need to check the logs again and see what it tells me. At the Nortel Contivity switch, the log simply shows "Authentication failure", so it's not the switch. Obviously, the switch was waiting for a reponse from my end, but ISA was not allowing that response to pass through. Right now, if I need to get through my company's Nortel switch for VPN access, I use a laptop loaded with Zone Alarm directly connected to my broadband connection. (sad,..but it works!). Stay tuned...

(in reply to scottamoore)
Post #: 57
RE: Nortel Contivity through ISA - 5.Sep.2002 3:30:00 AM   
securityguy75

 

Posts: 9
Joined: 26.Aug.2002
Status: offline
Ok, below is what I get with default fields selected for Firewall log; all fields logged for IP packet filter log. The Nortel client software seems to try to ping the client if it realizes the conversation does not get through. I changed the firewall hostname and our Contivity switch's IP for security reason. 12.20.4.28 is the firewall IP. The client machine with Nortel client sofware installed has ISA as the default gateway with no firewall client software loaded.

Firewall log entries:
first try:
192.168.200.211 - - 2002-09-05 01:19:48 CB797123-B - - - - - - 0 UDP Bind 0 778 3538
192.168.200.211 - - 2002-09-05 01:19:48 CB797123-B - 6.19.11.19 500 - - - 500 UDP UdpMap 0 778 3538

second try:
192.168.200.211 - - 2002-09-05 01:21:40 CB797123-B - 6.19.11.19 500 112011 986 1576 500 UDP UdpMap 20000 778 3538
192.168.200.211 - - 2002-09-05 01:21:40 CB797123-B - - - 112011 986 1576 0 UDP Bind 20001 778 3538

I don't understand what it's trying to do actually. It uses dynamic remote UDP ports.

Packet filter log:
2002-09-05 01:36:21 192.168.200.211 6.19.11.19 ICMP 3 3 - BLOCKED 12.20.4.28 45 00 00 38 e6 1e 00 00 80 01 11 a7 c0 a8 c8 d3 41 c1 77 c2 03 03 62 8d 00 00 00 00 45 00 00 68 0f 24 00 00 80 11 e8 61 41 c1 77 c2 c0 a8 c8 d3 01 f4 01 f4 00 54 96 33

[ September 05, 2002, 03:32 AM: Message edited by: Security Guy ]

(in reply to scottamoore)
Post #: 58
RE: Nortel Contivity through ISA - 5.Sep.2002 6:45:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi SG,

Error code 20001 indicates an "abnormal termination" usually because of a protocl rule or permissions configuration issue. Might also need to disable fragment filtering on the ISA Server.

HTH,
Tom

(in reply to scottamoore)
Post #: 59
RE: Nortel Contivity through ISA - 5.Sep.2002 3:46:00 PM   
securityguy75

 

Posts: 9
Joined: 26.Aug.2002
Status: offline
Hi Tom,
I'm sorry I didn't tell you this, but I already tried disabling IP Fragment filtering,...but it didn't help either. [Frown] I'll try again tonight just to make sure.

(in reply to scottamoore)
Post #: 60

Page:   <<   < prev  1 2 [3] 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> RE: Nortel Contivity through ISA Page: <<   < prev  1 2 [3] 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts