RE: IPSec & NAT

From: tom cheung (tkc9789@xxxxxxxxxxx)
Date: Sat Feb 02 2002 - 23:48:06 GMT-3

• Next message: tom cheung: "RE: IPSec & NAT"
• Previous message: RSiddappa@xxxxxxxxxx: "RE: IPSec & NAT"
• Maybe in reply to: RSiddappa@xxxxxxxxxx: "IPSec & NAT"
• Next in thread: tom cheung: "RE: IPSec & NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hummm, in transport mode, the IPSec header is inserted between the original
header and the payload. Everything gets authenticated but not encrypted.
It should still work router to router, but I'm not sure the PIX supports
transport mode. Somebody correct me if I'm wrong.

Tom

>From: RSiddappa@NECBNS.com
>To: tkc9789@hotmail.com, erickbe@yahoo.com, ccielab@groupstudy.com,
>erickbe@yahoo.com, signal@shreve.net, cchurch@MAGNACOM.com,
>jkaberna@netcginc.com, tkc9789@hotmail.com, ben@kesslerconsulting.com
>Subject: RE: IPSec & NAT
>Date: Sat, 2 Feb 2002 20:41:20 -0600
>
>
>
>Tom
>
>U are absolutely right.
>
>Little more work for evry one:
>
>what happens if this was an transport mode ?
>
>Rajeev.
>
>
>
>-----Original Message-----
>From: tom cheung [mailto:tkc9789@hotmail.com]
>Sent: Saturday, February 02, 2002 8:38 PM
>To: Siddappa, Rajeev; erickbe@yahoo.com; ccielab@groupstudy.com
>Subject: RE: IPSec & NAT
>
>
>I'll take a crack at this.
>Typically, gateway to gateway IPSec tunnel are in tunnel mode, with the
>original IP header encapsulated with a new IPSec header. The address of new
>IPSec header will be the tunnel endpoint you defined. Therefore, depending
>on how you have the IPSec tunnel setup, it may or may not have the
>registered addresses. To your second point, if you allow everything to be
>natted, then nothing will be sent over IPSec as nothing matches access-list
>115.
>
>
> >From: RSiddappa@NECBNS.com
> >Reply-To: RSiddappa@NECBNS.com
> >To: erickbe@yahoo.com, signal@shreve.net, cchurch@MAGNACOM.com
> >CC: ccielab@groupstudy.com
> >Subject: RE: IPSec & NAT
> >Date: Sat, 2 Feb 2002 19:11:11 -0700
> >
> >Erick,
> >
> >I got you.
> >
> >But One more doubt, what will be the destination address of the packet
> >address from private to a private network.
> >Will the encrypted packet will have a public IP address assigned to it ?
> >and
> >then gets decrypted at the other end.
> >
> >What will happen if I allow that packet to get NATed and after that
>IPSec.
> >(Private addressed traffic)
> >
> >Rajeev.
> >
> >
> >
> >
> >-----Original Message-----
> >From: Erick B. [mailto:erickbe@yahoo.com]
> >Sent: Saturday, February 02, 2002 8:04 PM
> >To: Siddappa, Rajeev; signal@shreve.net; cchurch@MAGNACOM.com
> >Cc: ccielab@groupstudy.com
> >Subject: Re: IPSec & NAT
> >
> >
> >Hi,
> >
> >Traffic from network 10.50.50.x/24 to network
> >10.103.1.x/24 will not be NAT'd. Traffic from network
> >10.50.50.x/24 to any other network besides
> >10.103.1.x/24 will be NAT'd. Vice versa for other
> >router.
> >
> >This way the 2 private 10.x networks can communicate
> >with each other, and traffic from/to other networks
> >will get a 99.99.99.x address which is public IP
> >space.
> >
> >HTH, Erick
> >
> >--- RSiddappa@NECBNS.com wrote:
> > > hi Guys,
> > >
> > > Can some one explain me what's happing with the
> > > following 110 access-list.
> > >
> > >
> >http://www.cisco.com/warp/customer/707/overload_private.shtml
> > >
> > >
> > >
> > > Rajeev.
> > >

• Next message: tom cheung: "RE: IPSec & NAT"
• Previous message: RSiddappa@xxxxxxxxxx: "RE: IPSec & NAT"
• Maybe in reply to: RSiddappa@xxxxxxxxxx: "IPSec & NAT"
• Next in thread: tom cheung: "RE: IPSec & NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3