From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sat Oct 21 2006 - 13:00:05 ART
Things seems to be clear now, thanks a lot Sir,
Regards
----- Original Message -----
From: Dusty
To: Edouard Zorrilla
Cc: Schulz, Dave ; security@groupstudy.com ; ccielab@groupstudy.com
Sent: Saturday, October 21, 2006 10:11 AM
Subject: Re: Question about NAT-T
Edouard,
With IOS 12.2(13)T and later, NAT-T will be enable by default. Unless, you
want to disable NAT-T by using "no crypto ipsec nat-transparency
udp-encapsulation". You can check the tunnel when it is establish by using
"show crypto ipsec sa", you should be able to see if it is tunnel or upd encap
for NAT-T
Dusty
On 10/21/06, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
Sir, I mean, The PIX is doing a NAT:
static (inside,outside) 99.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0,
So, the router should detect that there is a nat between the peers, am I
right ? If so that routers should be performing NAT-T. Please tell me if I
am all right or not.
Regards
----- Original Message -----
From: "Schulz, Dave" <DSchulz@dpsciences.com>
To: "Edouard Zorrilla" < ezorrilla@tsf.com.pe>; <security@groupstudy.com>
Cc: <ccielab@groupstudy.com >
Sent: Friday, October 20, 2006 11:25 PM
Subject: RE: Question about NAT-T
Edouard -
The configuration in question refers to doing an IPSec tunnel through a
PIX firewall. The tunnel actually terminates on the router. What
specifically is your question?
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Friday, October 20, 2006 11:25 PM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Question about NAT-T
Hello Group, I am here one more time,
Regarding this link:
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1839/products
_feat
ure_guide09186a0080110bca.html
It says:
"Detecting whether NAT exists along the network path allows you to find
any
NAT device between two peers and the exact location of NAT. A NAT device
can
translate the private IP address and port to public value (or from
public to
private). This translation changes the IP address and port if the packet
goes
through the device. To detect whether a NAT device exists along the
network
path, the peers should send a payload with hashes of the IP address and
port
of both the source and destination address from each end. If both ends
calculate the hashes and the hashes match, each peer knows that a NAT
device
does not exist on the network path between them. If the hashes do not
match
(that is, someone translated the address or port), then each peer needs
to
perform NAT traversal to get the IPSec packet through the network."
So far, so good.
My question is regarding this link:
http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_config
urati
on_example09186a008009486e.shtml
I understood that the NAT-T should be done inside the Cisco 2621,
however it
is not. Could any one please tell me way is that, I am trying to figure
out
this w/o luck. Or maybe I am misunderstanding the sample config :(.
Thanks in advance.
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART