From: Khawar Butt (khawarb@khawarb.com)
Date: Wed Aug 06 2008 - 06:02:30 ART
Hi Ajay,
Another thing you might want to keep an eye out for is that if the Inside
Router (R1) was translated, the Routers would have automatically done NAT-T.
In that case, you don't need to open up ESP on the outside ACL. Instead, you
would open up UDP/500 and UDP/4500.
Best Regards,
Khawar Butt
CCIE#12353 (R/S , Security , SP , Voice)
http://www.khawarb.com
http://www.netmetric-solutions.com
E-mail : khawarb@khawarb.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ajay
mehra
Sent: Wednesday, August 06, 2008 4:48 PM
To: ccielab@groupstudy.com
Subject: Re: IOS to IOS VPN across ASA
I got an answer for my 1st query. in ASA I did not clear xlate table before
initiaing connection from outside. Since there was a previous entry for UDP
port 500 in xlate table I was able to initiate tunnel from outside.
But surely I am looking for the answer on second query until I find it by
myself :).
Thanks,
Ajay
On 06/08/2008, Ajay mehra <ajaymehra01@gmail.com> wrote:
> Hi,
>
>
> I started with IE labs today and was trying to do IOS to IOS IPsec across
> ASA.
> Can you please help me in finding the correct answer for these question
>
>
>
> I have R1---------------ASA-----------------------R2 with R1 on inside and
> R2 on outside network.
>
> R1 is 136.1.121.1 and R2 is 136.1.122.2
>
> 1: To establish Ipsec tunnel using esp we should permit esp on outside
> interface. Also we need to permit udp port 500 for ISAKMP on outside (only
> if we are initiating tunnel from R2). But in my case tunnel comes up even
> though I do not have any access list to permit udp port 500 in outsid
> interface, I am initiating connection from R2.
>
>
> access-list OUTSIDE_IN extended permit icmp any any
> access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
> access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
> access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host
> 136.1.121.1
> access-group OUTSIDE_IN in interface outside
>
> why ISAKMP phase 1 negotiation is sucessful when I initiate connection
from
> R2 even though I do not permit UDP port 500 on outside interface?
>
>
>
> 2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was under
> impression that clearing phase 1 sa will clear phase 2 sa also.
>
> after I do "clea crypto isakm sa" I still have counters incrementing for
> packets encypt and decrypt.
>
>
>
> R2(config-if)#do sh cryp isa sa
> dst src state conn-id slot status
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
> #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
> R2(config-if)#
>
> R2(config-if)#do pi 150.1.1.1 so 150.1.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
> Packet sent with a source address of 150.1.2.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
> #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
> R2(config-if)#
>
>
>
>
>
> Thanks,
>
> Ajay
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART