Re: IOS to IOS VPN across ASA

From: Ajay mehra (ajaymehra01@gmail.com)
Date: Wed Aug 06 2008 - 06:33:53 ART

• Next message: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Previous message: Joseph Brunner: "RE: IOS to IOS VPN across ASA"
• Maybe in reply to: Ajay mehra: "IOS to IOS VPN across ASA"
• Next in thread: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am going to try this once you help me to solve NAT-T issue ;)
with pat enabled I get error message in ASA
"regular translation creation failed for protocol 50 src
inside:136.1.121.1dst outside:
136.1.122.2"

I quickly searched archives and found this
"you cannot translate protocol 50 which is esp using PAT you need NAT and a
static 1 to 1 mapping to allow protocol 50 into the translated ip."

I could not find next thread to confirm this and to answer why can not it
translate ESP with PAT?

Thanks,
Ajay

On 06/08/2008, Joseph Brunner <joe@affirmedsystems.com> wrote:
>
> Of if you're a quant like me and Khawar at this stuff (right Khawar)
> You can prevent the routers from doing nat-t so the results and necessary
> ACL's are more certain, ESP 50/UDP 500 ONLY!!!;
>
> no crypto ipsec nat-transparency udp-encapsulation
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Khawar Butt
> Sent: Wednesday, August 06, 2008 5:03 AM
> To: 'Ajay mehra'; ccielab@groupstudy.com
> Subject: RE: IOS to IOS VPN across ASA
>
> Hi Ajay,
>
>
> Another thing you might want to keep an eye out for is that if the Inside
> Router (R1) was translated, the Routers would have automatically done
> NAT-T.
> In that case, you don't need to open up ESP on the outside ACL. Instead,
> you
> would open up UDP/500 and UDP/4500.
>
> Best Regards,
>
> Khawar Butt
> CCIE#12353 (R/S , Security , SP , Voice)
> http://www.khawarb.com
> http://www.netmetric-solutions.com
> E-mail : khawarb@khawarb.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ajay
> mehra
> Sent: Wednesday, August 06, 2008 4:48 PM
> To: ccielab@groupstudy.com
> Subject: Re: IOS to IOS VPN across ASA
>
> I got an answer for my 1st query. in ASA I did not clear xlate table before
> initiaing connection from outside. Since there was a previous entry for UDP
> port 500 in xlate table I was able to initiate tunnel from outside.
>
> But surely I am looking for the answer on second query until I find it by
> myself :).
>
> Thanks,
> Ajay
>
>
> On 06/08/2008, Ajay mehra <ajaymehra01@gmail.com> wrote:
>
> > Hi,
> >
> >
> > I started with IE labs today and was trying to do IOS to IOS IPsec across
> > ASA.
> > Can you please help me in finding the correct answer for these question
> >
> >
> >
> > I have R1---------------ASA-----------------------R2 with R1 on inside
> and
> > R2 on outside network.
> >
> > R1 is 136.1.121.1 and R2 is 136.1.122.2
> >
> > 1: To establish Ipsec tunnel using esp we should permit esp on outside
> > interface. Also we need to permit udp port 500 for ISAKMP on outside
> (only
> > if we are initiating tunnel from R2). But in my case tunnel comes up even
> > though I do not have any access list to permit udp port 500 in outsid
> > interface, I am initiating connection from R2.
> >
> >
> > access-list OUTSIDE_IN extended permit icmp any any
> > access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
> > access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
> > access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host
> > 136.1.121.1
> > access-group OUTSIDE_IN in interface outside
> >
> > why ISAKMP phase 1 negotiation is sucessful when I initiate connection
> from
> > R2 even though I do not permit UDP port 500 on outside interface?
> >
> >
> >
> > 2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was under
> > impression that clearing phase 1 sa will clear phase 2 sa also.
> >
> > after I do "clea crypto isakm sa" I still have counters incrementing for
> > packets encypt and decrypt.
> >
> >
> >
> > R2(config-if)#do sh cryp isa sa
> > dst src state conn-id slot status
> >
> > R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> > #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
> > #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
> > R2(config-if)#
> >
> > R2(config-if)#do pi 150.1.1.1 so 150.1.2.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
> > Packet sent with a source address of 150.1.2.2
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
> >
> > R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> > #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
> > #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
> > R2(config-if)#
> >
> >
> >
> >
> >
> > Thanks,
> >
> > Ajay
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Previous message: Joseph Brunner: "RE: IOS to IOS VPN across ASA"
• Maybe in reply to: Ajay mehra: "IOS to IOS VPN across ASA"
• Next in thread: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART