From: Dusty (dustygoody@gmail.com)
Date: Sat Oct 21 2006 - 12:11:24 ART
Edouard,
With IOS 12.2(13)T and later, NAT-T will be enable by default. Unless, you
want to disable NAT-T by using "no crypto ipsec nat-transparency
udp-encapsulation". You can check the tunnel when it is establish by using
"show crypto ipsec sa", you should be able to see if it is tunnel or upd
encap for NAT-T
**
*Dusty*
****
On 10/21/06, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
>
> Sir, I mean, The PIX is doing a NAT:
>
> static (inside,outside) 99.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0,
>
> So, the router should detect that there is a nat between the peers, am I
> right ? If so that routers should be performing NAT-T. Please tell me if I
> am all right or not.
>
> Regards
>
> ----- Original Message -----
> From: "Schulz, Dave" <DSchulz@dpsciences.com>
> To: "Edouard Zorrilla" <ezorrilla@tsf.com.pe>; <security@groupstudy.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Friday, October 20, 2006 11:25 PM
> Subject: RE: Question about NAT-T
>
>
> Edouard -
>
> The configuration in question refers to doing an IPSec tunnel through a
> PIX firewall. The tunnel actually terminates on the router. What
> specifically is your question?
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Friday, October 20, 2006 11:25 PM
> To: security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Question about NAT-T
>
> Hello Group, I am here one more time,
>
> Regarding this link:
>
> http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1839/products
> _feat
> ure_guide09186a0080110bca.html
>
> It says:
>
> "Detecting whether NAT exists along the network path allows you to find
> any
> NAT device between two peers and the exact location of NAT. A NAT device
> can
> translate the private IP address and port to public value (or from
> public to
> private). This translation changes the IP address and port if the packet
> goes
> through the device. To detect whether a NAT device exists along the
> network
> path, the peers should send a payload with hashes of the IP address and
> port
> of both the source and destination address from each end. If both ends
> calculate the hashes and the hashes match, each peer knows that a NAT
> device
> does not exist on the network path between them. If the hashes do not
> match
> (that is, someone translated the address or port), then each peer needs
> to
> perform NAT traversal to get the IPSec packet through the network."
>
> So far, so good.
>
> My question is regarding this link:
>
> http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_config
> urati
> on_example09186a008009486e.shtml
>
> I understood that the NAT-T should be done inside the Cisco 2621,
> however it
> is not. Could any one please tell me way is that, I am trying to figure
> out
> this w/o luck. Or maybe I am misunderstanding the sample config :(.
>
> Thanks in advance.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART