David, We do this all the time. We connect to a Nortel Extranet switch via VPN with the Nortel Networks Extranet Client Access program Ver. V02_62.33 through our GB-1000 which is NATing all our traffic.
All it requires is that you allow UDP port 500 for IKE and then ESP protocol (protocol 50) outbound. These are the two components of IPSEC. The person at the company you are working with may be thinking of Microsoft's implementation of NAT which does not preserve the source port and therefore breaks IPSEC. Paul Terhune -----Original Message----- From: David Kraut [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 2:37 PM To: '[EMAIL PROTECTED]'; 'Jason Sopko'; Gnatbox User List Subject: RE: [gb-users] Outbound Filter? OK, lets get under the hood of this one.... I've just been told by a tech at the remote site that it cannot be done if any type of NAT is involved!?!? Maybe you guys could confirm this for me? Here's the sitch.... I'm at company A behind a gnatbox pro. I want to connect to Company B via the Internet to their VPN server which is running Nortel Contivity VPN server/software. I initiate the connection and the Contivity client resolves the site to an IP address and then tries to establish the VPN. I then get an error > "Remote Host not responding". Anyone have any experience with a Gnatbox to Contivity VPN connection? David -----Original Message----- From: d.schneider [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 4:53 PM To: 'Jason Sopko'; Gnatbox User List; David Kraut Subject: RE: [gb-users] Outbound Filter? oh yeh .. and RTFM.. ---------- Original Message ---------------------------------- From: David Kraut <[EMAIL PROTECTED]> Date: Thu, 15 Aug 2002 16:50:16 -0400 >You firewall guys are wound too tight!! :) > >We're not running a stock exchange here so I'm not overly concerned about >hackers drooling to get a shot at a temporary opening to a laptop with >nothing on it. I understand your point of view though ... I'm sure it would >be possible to expose more than just this laptop by opening a temporary hole >so maybe I'll just plug it into the hub outside of the firewall and test >from there. Anyway, it's good to know people are really out there reading >this stuff! I'm obviously new with Gnatbox systems and I'm quite surprised >I didn't already get a RTFM response! :) > >Thanks for your insights and help! > > > >David > >-----Original Message----- >From: Jason Sopko [mailto:[EMAIL PROTECTED]] >Sent: Thursday, August 15, 2002 4:26 PM >To: Gnatbox User List >Subject: Re: [gb-users] Outbound Filter? > >begin Chris, I thought it was funny, I got your sarcasm. People that >spend 7 years trying to harden Windows systems will not. If he's trying >to create a ruleset that doesn't filter anything, he deserves witty >sarcasm such as yours. > >///Jason > >Chris Green wrote: >> You missed the point completely. They want all inbound/outbound traffic >> to pass freely to the box. This is no different than plugging in >> direct. It was sarcasm for the most part. >> >> Chris Green > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] > > ********************************************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender. ********************************************************************* --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
