From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Thu Aug 03 2006 - 18:12:17 ART
The answer is "isakmp enable outside" are you are set for isakmp udp
500/500 and udp 4500.
HTH/
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
tdt_cciesec
Sent: Wednesday, August 02, 2006 6:20 AM
To: Larry Roberts; Hussein Ghazy
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Allowing ISAKMP Traffic through PIX
The answer is generally yes but it is based on how the question is
worded.
If they say that no NAT-T is allowed then you need to allow isakmp and
esp and
on the router you need to specify "no crypto ipsec nat-traversal
udp-encapsulation" so
that the router will communicate with each other via esp and not
nat-t.
Even if the FW is not doing NAT, routers, by default, will use isakmp
and nat-t when
doing IPSec with another router. You can test and see it for
yourself. The only way
for it to use esp, to my knowledge, is to use spcify "no crypto ipsec
nat-traversal
udp-encapsulation" on the router. That's how undertstand it with IOS
version 12.2T.
HTH
tdt
Larry Roberts <groupstudy@american-hero.com> wrote:
UDP 500 is for isakmp
UDP 4500 is for NAT-T or NAT transparency.
If your device behind the FW that is terminating the tunnels needs to
support NAT-T then yes you do need to permit it, but its not part of
ISAKMP, but rather part of the actual data transfer (ESP)
Now, if your not doing NAT on the FW then you need to permit UDP 500 for
isakmp and also ESP for the data transfer.
Hussein Ghazy wrote:
> Hi,
>
>
> I want to allow ISAKMP traffic through the PIX firewall from the
> outside interface.
>
> DO I need to create 2 udp access-list on the outside interface one for
> equal isakmp and the second for equal 4500
>
> Thanks
> ********************************************DISCLAIMER****************
> **************************** This email and any files transmitted with
> it are confidential and contain privileged or copyright information.
> If you are not the intended recipient you must not copy, distribute or
> use this email or the information contained in it for any purpose
other than to notify us of the receipt thereof.
> If you have received this message in error, please notify the sender
> immediately, and delete this email from your system.
>
> Please note that e-mails are susceptible to change.The sender shall
> not be liable for the improper or incomplete transmission of the
> information contained in this communication,nor for any delay in its
> receipt or damage to your system.The sender does not guarantee that
this material is free from viruses or any other defects although due
care has been taken to minimise the risk.
> **********************************************************************
> ****************************
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs.Try it free.
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART