From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Thu Jan 22 2009 - 12:23:22 ARST
Darby is as elaborative as usual. :-) No offence dude.
A.
Darby Weaver wrote:
> Well...
>
> By default the router is a router and unless you are already filtering,
> IPSec will just pass through normally - at least with a Cisco Router.
>
> If you are using a SOHO Router - you need to enable NAT-T or NAT Traversal.
>
> The specific ports are:
>
> IP Protocol 50 or ESP
> UDP Port 500 or ISAKMP
> UDP 4500 or ESP over UDP
>
> Note: AH or IP Protocol 51 is not used a lot these days due to the fact that
> it does NOT work well with NAT Traversal - The reason is self-explanatory -
> hint: look at how it handles the packet - so it just does not work well with
> NAT by definition.
>
> Don't laugh but I once ran into a self-proclaimed Securirty Guru who
> couldn't make the connection between UDP 500 traffic and IPSec - they had
> enabled IPSec on their Windows Servers and he opened a ticket with TAC for
> about 2+ months, he claimed CiscoWorks had a bug and TAC was working on
> it.... I put a Server in it had the same problem. I just asked for a
> packet capture with Wireshark... Dude was like.... "How did you know
> that?" I was thinking "Dude ought to wear a sign!". Especially if a
> Security Expert can not recognize UDP 500 as ISAKMP in 2008. Live and let
> live... I wonder if he ever got that IPSec VPN up and running?
>
> Now as for the Private Address Space issue.
>
> You can either NAT on the ASA itself (if your address space is being
> advertised to the world) or you can perform the NAT at your Router if you
> only have a single IP or only wanted to use a single IP for some reason. If
> it's at your house for instance you'd just perform NAT at the router and
> forward the ports to your next device of your choice. NAT Traversal itself
> would handle the IPSec Traffic magically for you. You can use the Sysopt
> command option in the PIX/ASA to perform the same traffic but if you want to
> be more granular, then you would prefer to write the ACL and be specific on
> where IPSec might or might not be allowed inside your network.
>
>
> Let me know if you need more.... Offline is fine too.
>
>
>
>
>
>
>
>
>
> On 1/22/09, Asim Zafar <asim.mz@gmail.com> wrote:
>
>> Dear Group,
>>
>>
>> How can i setup cisco router to pass ipsec ports and create IPSEC
>> tunnel behind it on a ASA 5510 which will be on private ip address.
>>
>>
>>
>> --
>> Thanks & Regards,
>>
>> Asim Zafar
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST