Linksys-like IPSec "Passthrough"

From: Mas Kato (tealp729@xxxxxxxx)
Date: Wed May 09 2001 - 23:45:43 GMT-3

• Next message: Ron Carithers: "RE: FIXED: IOS 11.2, Enterprise on 2502 -- SERIOUS headaches!"
• Previous message: Ron Carithers: "RE: summary-address in ospf and redistribution"
• Next in thread: Mike L. Chase: "RE: Linksys-like IPSec "Passthrough""
• Maybe reply: Mike L. Chase: "RE: Linksys-like IPSec "Passthrough""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Gang,

As an experiment, I tried to implement some of the functionality of my
little Linksys box on a 2600.

Here are the things I'm trying to implement:

1) PAT
2) Outside interface IP address via DHCP

Sounds like Easy IP, but then comes the killer:

3) IPSec "passthrough"

PAT basically breaks IPSec, so I was wondering how the Linksys manages
it...

I thought maybe with IPSec it did a straight port-for-port NAT with the
one outside global address assigned by DHCP (which would lead me to
believe it could only support one IPSec passthrough session at a time),
while doing PAT with everything else and reserving strategic ports.

Here's what I tried:

interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet1
 ip address dhcp
 ip nat outside
!
ip nat inside source route-map IPSEC interface Ethernet1
ip nat inside source list 110 interface Ethernet1 overload
!
access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq isakmp
access-list 100 permit esp 192.168.1.0 0.0.0.255 any
access-list 100 permit ahp 192.168.1.0 0.0.0.255 any
!
access-list 110 deny udp 192.168.1.0 0.0.0.255 any eq isakmp
access-list 110 deny esp 192.168.1.0 0.0.0.255 any
access-list 110 deny ahp 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
route-map IPSEC permit 10
match ip address 100

I figured maybe the first 'ip nat inside' command would do straight
extended NAT with IPSec and the second command would do PAT with the
rest. Not.

Alas, since the 'ip nat inside' command references an interface to get
the global address from it automatically gets configured for 'overload.'
Configuring a NAT pool would defeat the purpose of using DHCP on the
outside and there's no way I can tell to reference a DHCP-derived
address with a static translation.

Anybody have any thoughts or comments about this?

Thanks,

Mas
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Ron Carithers: "RE: FIXED: IOS 11.2, Enterprise on 2502 -- SERIOUS headaches!"
• Previous message: Ron Carithers: "RE: summary-address in ospf and redistribution"
• Next in thread: Mike L. Chase: "RE: Linksys-like IPSec "Passthrough""
• Maybe reply: Mike L. Chase: "RE: Linksys-like IPSec "Passthrough""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:37 GMT-3