IPSec & NAT (Does this)

From: RSiddappa@xxxxxxxxxx
Date: Tue Feb 05 2002 - 12:26:28 GMT-3

• Next message: tom cheung: "Re: IPSec & NAT (Does this)"
• Previous message: Ahmed Mamoor Amimi: "Re: FRTS Verification"
• Next in thread: tom cheung: "Re: IPSec & NAT (Does this)"
• Maybe reply: tom cheung: "Re: IPSec & NAT (Does this)"
• Maybe reply: RSiddappa@xxxxxxxxxx: "RE: IPSec & NAT (Does this)"
• Maybe reply: Scott Morris: "RE: IPSec & NAT (Does this)"
• Maybe reply: Kenny Sallee: "RE: IPSec & NAT (Does this)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi Guys

I am coming back with the same doubt again, but little different.

>> >http://www.cisco.com/warp/customer/707/overload_private.shtml

In the above link the packets which have to be encrypted is denied from
getting any NATed address.

But why does IPSec really does not work when u NAT ?

In this above example if I Add one more access-list which says,
permit all the traffic going out to internet to be NATed and also one more
access-list to encrypt all the traffic going to destination 10.X.X.x (
Private address) after NTAing.

WILL THE IPSec will work after this.

Pls do respond.

www.agilent.com/comms/casestudies

I guess all the other vendors are having the same problem.

Thank you,

Rajeev.

-----Original Message-----
From: tom cheung [mailto:tkc9789@hotmail.com]
Sent: Saturday, February 02, 2002 9:02 PM
To: Siddappa, Rajeev; ccielab@groupstudy.com
Subject: RE: IPSec & NAT

Correction, in transport mode, depending whether you're using ESP or AH,
the payload will or will not be encrypted.

>From: "tom cheung" <tkc9789@hotmail.com>
>Reply-To: "tom cheung" <tkc9789@hotmail.com>
>To: RSiddappa@NECBNS.com, ccielab@groupstudy.com
>Subject: RE: IPSec & NAT
>Date: Sat, 02 Feb 2002 20:48:06 -0600
>
>Hummm, in transport mode, the IPSec header is inserted between the
>original
>header and the payload. Everything gets authenticated but not encrypted.
>It should still work router to router, but I'm not sure the PIX supports
>transport mode. Somebody correct me if I'm wrong.
>
>Tom
>
>>From: RSiddappa@NECBNS.com
>>To: tkc9789@hotmail.com, erickbe@yahoo.com, ccielab@groupstudy.com,
>>erickbe@yahoo.com, signal@shreve.net, cchurch@MAGNACOM.com,
>>jkaberna@netcginc.com, tkc9789@hotmail.com, ben@kesslerconsulting.com
>>Subject: RE: IPSec & NAT
>>Date: Sat, 2 Feb 2002 20:41:20 -0600
>>
>>
>>
>>Tom
>>
>>U are absolutely right.
>>
>>Little more work for evry one:
>>
>>what happens if this was an transport mode ?
>>
>>Rajeev.
>>
>>
>>
>>-----Original Message-----
>>From: tom cheung [mailto:tkc9789@hotmail.com]
>>Sent: Saturday, February 02, 2002 8:38 PM
>>To: Siddappa, Rajeev; erickbe@yahoo.com; ccielab@groupstudy.com
>>Subject: RE: IPSec & NAT
>>
>>
>>I'll take a crack at this.
>>Typically, gateway to gateway IPSec tunnel are in tunnel mode, with the
>>original IP header encapsulated with a new IPSec header. The address of
>>new
>>IPSec header will be the tunnel endpoint you defined. Therefore,
>>depending
>>on how you have the IPSec tunnel setup, it may or may not have the
>>registered addresses. To your second point, if you allow everything to be
>>natted, then nothing will be sent over IPSec as nothing matches
>>access-list
>>115.
>>
>>
>> >From: RSiddappa@NECBNS.com
>> >Reply-To: RSiddappa@NECBNS.com
>> >To: erickbe@yahoo.com, signal@shreve.net, cchurch@MAGNACOM.com
>> >CC: ccielab@groupstudy.com
>> >Subject: RE: IPSec & NAT
>> >Date: Sat, 2 Feb 2002 19:11:11 -0700
>> >
>> >Erick,
>> >
>> >I got you.
>> >
>> >But One more doubt, what will be the destination address of the packet
>> >address from private to a private network.
>> >Will the encrypted packet will have a public IP address assigned to it ?
>> >and
>> >then gets decrypted at the other end.
>> >
>> >What will happen if I allow that packet to get NATed and after that
>>IPSec.
>> >(Private addressed traffic)
>> >
>> >Rajeev.
>> >
>> >
>> >
>> >
>> >-----Original Message-----
>> >From: Erick B. [mailto:erickbe@yahoo.com]
>> >Sent: Saturday, February 02, 2002 8:04 PM
>> >To: Siddappa, Rajeev; signal@shreve.net; cchurch@MAGNACOM.com
>> >Cc: ccielab@groupstudy.com
>> >Subject: Re: IPSec & NAT
>> >
>> >
>> >Hi,
>> >
>> >Traffic from network 10.50.50.x/24 to network
>> >10.103.1.x/24 will not be NAT'd. Traffic from network
>> >10.50.50.x/24 to any other network besides
>> >10.103.1.x/24 will be NAT'd. Vice versa for other
>> >router.
>> >
>> >This way the 2 private 10.x networks can communicate
>> >with each other, and traffic from/to other networks
>> >will get a 99.99.99.x address which is public IP
>> >space.
>> >
>> >HTH, Erick
>> >
>> >--- RSiddappa@NECBNS.com wrote:
>> > > hi Guys,
>> > >
>> > > Can some one explain me what's happing with the
>> > > following 110 access-list.
>> > >
>> > >
>> >http://www.cisco.com/warp/customer/707/overload_private.shtml
>> > >
>> > >
>> > >
>> > > Rajeev.
>> > >

• Next message: tom cheung: "Re: IPSec & NAT (Does this)"
• Previous message: Ahmed Mamoor Amimi: "Re: FRTS Verification"
• Next in thread: tom cheung: "Re: IPSec & NAT (Does this)"
• Maybe reply: tom cheung: "Re: IPSec & NAT (Does this)"
• Maybe reply: RSiddappa@xxxxxxxxxx: "RE: IPSec & NAT (Does this)"
• Maybe reply: Scott Morris: "RE: IPSec & NAT (Does this)"
• Maybe reply: Kenny Sallee: "RE: IPSec & NAT (Does this)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:12 GMT-3