Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ESP and AH protocols and NAT.

Reply
Thread Tools

ESP and AH protocols and NAT.

 
 
AM
Guest
Posts: n/a
 
      08-10-2005
Imagine I have a PIX behind a router which can do NAT.
Imagine I would use one IP only for this kind of traffic (IPsec).

What I have to do with my ACL that will allow that traffic to be NAT'ed?


just

access-list 100 udp permit 192.168.0.1 500 any 500
access-list 100 udp permit 192.168.0.1 4500 any 4500

or also esp and ah protocols, adding something like this:

access-list 100 esp permit 192.168.0.1 any
access-list 100 ah permit 192.168.0.1 any

I know IPsec travels through udp (but not only). So finally my question is how esp protocol is involved in IPsec
traffic? And how to consider it while doing NAT?

Thanks,

Alex

P.S.
Perhaps I'm a bit OT but all the results will be implemented on Cisco's routers.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-10-2005
In article <E4sKe.12517$(E-Mail Removed)>, AM <(E-Mail Removed)> wrote:
:Imagine I have a PIX behind a router which can do NAT.
:Imagine I would use one IP only for this kind of traffic (IPsec).

:What I have to do with my ACL that will allow that traffic to be NAT'ed?

:just

:access-list 100 udp permit 192.168.0.1 500 any 500

You are missing 'host' in appropriate places.

:access-list 100 udp permit 192.168.0.1 4500 any 4500


r also esp and ah protocols, adding something like this:

:access-list 100 esp permit 192.168.0.1 any
:access-list 100 ah permit 192.168.0.1 any

:I know IPsec travels through udp (but not only). So finally my question is how esp protocol is involved in IPsec
:traffic? And how to consider it while doing NAT?

There is no point in NAT'ing AH packets. If you are not using nat-traversal
then the NAT'ing process will mess up the checksum used by AH and the
packets will be discarded. If you are using nat-traversal then the
packets will be encapsulated within UDP packets and there won't be any
exposed AH packets.

Similarily, if you are using nat-traversal then because the ESP packets will
be encapsulated within UDP, there will not be any exposed ESP packets.
There would, however, be UDP packets with a dynamic source port
going to port 4500 at the destination (but no return packets back!)
and the same thing in the other direction (dynamic source, local
destination 4500 with no outgoing packets back to that dynamic port.)
Tunnel (re-) negotiation is via isakmp (udp 500) packets.

With nat-traversal off, the data is carried in ESP packets, but the
tunnel negotiation is isakmp (udp 500) packets.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
margin differences in IE and FF esp. top and bottom state.cs@gmail.com HTML 5 11-25-2008 02:23 PM
problems with ESP and NAT under 12.4.4 jonpaterson@gmail.com Cisco 0 12-03-2005 12:55 PM
How to use protocols.msn.FileSend and protocols.msnFileReceive yamadora1999 Python 2 05-25-2005 12:56 AM
How to use protocols.msn.FileSend and protocols.msnFileReceive yamadora1999 Python 1 05-24-2005 07:12 AM
fixup protocol esp-ike Michael Cisco 1 11-29-2003 04:16 AM



Advertisments