RE: IPSec & NAT

From: RSiddappa@xxxxxxxxxx
Date: Sat Feb 02 2002 - 23:33:55 GMT-3

• Next message: tom cheung: "RE: IPSec & NAT"
• Previous message: Erick B.: "RE: IPSec & NAT"
• Maybe in reply to: RSiddappa@xxxxxxxxxx: "IPSec & NAT"
• Next in thread: tom cheung: "RE: IPSec & NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Erick,

Probably It is like this.

The original packet is encapsulated in ESP or AH. Then need to be given a
public address to it (Need to got through Internet) and then send to the
destination peer 100.1.1.2 and gets decrypted from ESP and send to the
private address.

Please correct me if I am wrong.

So actually IPSec is doing a kind of NATing, but the data inside the
IPpacket is encrypted and also authenticated, so that
some one from out side will not alter it.

But when u do NAT, only the source address of the IP packet is changed and
sent over the internet, with out any security.

Guys pls comment.

Rajeev.

-----Original Message-----
From: Erick B. [mailto:erickbe@yahoo.com]
Sent: Saturday, February 02, 2002 8:26 PM
To: Siddappa, Rajeev; signal@shreve.net; cchurch@MAGNACOM.com
Cc: ccielab@groupstudy.com
Subject: RE: IPSec & NAT

Rajeev,

I'm not a crypto guru, but will try to answer...

The traffic from/to the private networks that isn't
NAT'd will have a source/destination of that private
network. I believe the original IP packet is
encapsulated in a crypto packet, so when its decrypted
at other end it gets forwarded along using original
addresses.

Please correct me if I'm wrong...

Erick

--- RSiddappa@NECBNS.com wrote:
>
>
> Erick,
>
> I got you.
>
> But One more doubt, what will be the destination
> address of the packet
> address from private to a private network.
> Will the encrypted packet will have a public IP
> address assigned to it ? and
> then gets decrypted at the other end.
>
> What will happen if I allow that packet to get NATed
> and after that IPSec.
> (Private addressed traffic)
>
> Rajeev.
>
>
>
>
> -----Original Message-----
> From: Erick B. [mailto:erickbe@yahoo.com]
> Sent: Saturday, February 02, 2002 8:04 PM
> To: Siddappa, Rajeev; signal@shreve.net;
> cchurch@MAGNACOM.com
> Cc: ccielab@groupstudy.com
> Subject: Re: IPSec & NAT
>
>
> Hi,
>
> Traffic from network 10.50.50.x/24 to network
> 10.103.1.x/24 will not be NAT'd. Traffic from
> network
> 10.50.50.x/24 to any other network besides
> 10.103.1.x/24 will be NAT'd. Vice versa for other
> router.
>
> This way the 2 private 10.x networks can communicate
> with each other, and traffic from/to other networks
> will get a 99.99.99.x address which is public IP
> space.
>
> HTH, Erick
>
> --- RSiddappa@NECBNS.com wrote:
> > hi Guys,
> >
> > Can some one explain me what's happing with the
> > following 110 access-list.
> >
> >
>
http://www.cisco.com/warp/customer/707/overload_private.shtml
> >
> >
> >
> > Rajeev.
> >
>

• Next message: tom cheung: "RE: IPSec & NAT"
• Previous message: Erick B.: "RE: IPSec & NAT"
• Maybe in reply to: RSiddappa@xxxxxxxxxx: "IPSec & NAT"
• Next in thread: tom cheung: "RE: IPSec & NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3