From: Kal Han (calikali2006@gmail.com)
Date: Sat Nov 25 2006 - 22:53:01 ART
I usually see the show conns on pix to check that
the upd 4500 conn is up.
On your router, show crypto ipsec sa should also show
the use of port 4500 instead of 500.
From what I know, unlike on pix which needs an explicit
"isakmp nat-traversal" to enable that feature, on IOS routers
this process is automatic.
They send a hash of payload + ports to their peers as part of
IKE phase 1. any changes in hashes will indicate a nat device
and automatically trigger nat-t and moving to port 4500 udp
encapsulations to beat the nat device.
Whether you have pat or static nat, nat-t will be invoked
(unless you have a static identity nat on pix which doesnt
change much of the related stuff)
You can also peer with nated IP itself to not use nat-traversal.
Thanks
Kal
On 11/25/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> Here's my scenario:
>
>
> ROUTER1 (f0 - 1.1.1.1) ------ (out - 1.1.1.2) PIX (in - 2.2.2.2) ------
> (f0 - 2.2.2.1) ROUTER2
>
>
> If I'm doing an L2L IPSec tunnel between the two routers through a PIX
> (with
> ROUTER2 translated via the "static" command on the PIX), does this
> automatically invoke NAT-T?
>
> If so, how can I verify this? By UDP 4500 requests coming into the PIX?
>
> If not, when does NAT-T apply to a static NAT scenario? I know you have
> to
> enable NAT-T when using PAT, but what about static NAT?
>
> Any help would be much appreciated.
>
> Thanks,
>
> Ed
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART