ESP and AH protocols and NAT.

Discussion in 'Cisco' started by AM, Aug 10, 2005.

  1. AM

    AM Guest

    Imagine I have a PIX behind a router which can do NAT.
    Imagine I would use one IP only for this kind of traffic (IPsec).

    What I have to do with my ACL that will allow that traffic to be NAT'ed?


    just

    access-list 100 udp permit 192.168.0.1 500 any 500
    access-list 100 udp permit 192.168.0.1 4500 any 4500

    or also esp and ah protocols, adding something like this:

    access-list 100 esp permit 192.168.0.1 any
    access-list 100 ah permit 192.168.0.1 any

    I know IPsec travels through udp (but not only). So finally my question is how esp protocol is involved in IPsec
    traffic? And how to consider it while doing NAT?

    Thanks,

    Alex

    P.S.
    Perhaps I'm a bit OT but all the results will be implemented on Cisco's routers.
     
    AM, Aug 10, 2005
    #1
    1. Advertising

  2. In article <E4sKe.12517$>, AM <> wrote:
    :Imagine I have a PIX behind a router which can do NAT.
    :Imagine I would use one IP only for this kind of traffic (IPsec).

    :What I have to do with my ACL that will allow that traffic to be NAT'ed?

    :just

    :access-list 100 udp permit 192.168.0.1 500 any 500

    You are missing 'host' in appropriate places.

    :access-list 100 udp permit 192.168.0.1 4500 any 4500


    :eek:r also esp and ah protocols, adding something like this:

    :access-list 100 esp permit 192.168.0.1 any
    :access-list 100 ah permit 192.168.0.1 any

    :I know IPsec travels through udp (but not only). So finally my question is how esp protocol is involved in IPsec
    :traffic? And how to consider it while doing NAT?

    There is no point in NAT'ing AH packets. If you are not using nat-traversal
    then the NAT'ing process will mess up the checksum used by AH and the
    packets will be discarded. If you are using nat-traversal then the
    packets will be encapsulated within UDP packets and there won't be any
    exposed AH packets.

    Similarily, if you are using nat-traversal then because the ESP packets will
    be encapsulated within UDP, there will not be any exposed ESP packets.
    There would, however, be UDP packets with a dynamic source port
    going to port 4500 at the destination (but no return packets back!)
    and the same thing in the other direction (dynamic source, local
    destination 4500 with no outgoing packets back to that dynamic port.)
    Tunnel (re-) negotiation is via isakmp (udp 500) packets.

    With nat-traversal off, the data is carried in ESP packets, but the
    tunnel negotiation is isakmp (udp 500) packets.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Aug 10, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael

    fixup protocol esp-ike

    Michael, Nov 28, 2003, in forum: Cisco
    Replies:
    1
    Views:
    5,957
    Walter Roberson
    Nov 29, 2003
  2. Sean McGrath
    Replies:
    0
    Views:
    1,967
    Sean McGrath
    Dec 29, 2003
  3. Kamil Olszewski

    Support ESP Header in IPv6

    Kamil Olszewski, Apr 9, 2005, in forum: Cisco
    Replies:
    1
    Views:
    436
    BradReeseCom
    Apr 9, 2005
  4. Corbin O'Reilly
    Replies:
    6
    Views:
    7,112
    Corbin O'Reilly
    Apr 28, 2005
  5. Replies:
    0
    Views:
    436
Loading...

Share This Page