From: tdt_cciesec (tdt_cciesec@yahoo.com)
Date: Wed Aug 02 2006 - 07:19:40 ART
The answer is generally yes but it is based on how the question is worded.
If they say that no NAT-T is allowed then you need to allow isakmp and esp and
on the router you need to specify "no crypto ipsec nat-traversal udp-encapsulation" so
that the router will communicate with each other via esp and not nat-t.
Even if the FW is not doing NAT, routers, by default, will use isakmp and nat-t when
doing IPSec with another router. You can test and see it for yourself. The only way
for it to use esp, to my knowledge, is to use spcify "no crypto ipsec nat-traversal
udp-encapsulation" on the router. That's how undertstand it with IOS version 12.2T.
HTH
tdt
Larry Roberts <groupstudy@american-hero.com> wrote:
UDP 500 is for isakmp
UDP 4500 is for NAT-T or NAT transparency.
If your device behind the FW that is terminating the tunnels needs to
support NAT-T then yes you do need to permit it, but its not part of
ISAKMP, but rather part of the actual data transfer (ESP)
Now, if your not doing NAT on the FW then you need to permit UDP 500 for
isakmp and also ESP for the data transfer.
Hussein Ghazy wrote:
> Hi,
>
>
> I want to allow ISAKMP traffic through the PIX firewall from the outside
> interface.
>
> DO I need to create 2 udp access-list on the outside interface one for
> equal isakmp and the second for equal 4500
>
> Thanks
> ********************************************DISCLAIMER********************************************
> This email and any files transmitted with it are confidential and contain privileged or copyright
> information. If you are not the intended recipient you must not copy, distribute or use this email
> or the information contained in it for any purpose other than to notify us of the receipt thereof.
> If you have received this message in error, please notify the sender immediately, and delete this
> email from your system.
>
> Please note that e-mails are susceptible to change.The sender shall not be liable for the improper
> or incomplete transmission of the information contained in this communication,nor for any delay in
> its receipt or damage to your system.The sender does not guarantee that this material is free from
> viruses or any other defects although due care has been taken to minimise the risk.
> **************************************************************************************************
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs.Try it free.
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART