From: Khawar Butt (khawarb@khawarb.com)
Date: Wed Aug 06 2008 - 07:12:24 ART
Good point Joe.
Khawar Butt
CCIE#12353 (R/S , Security , SP , Voice)
http://www.khawarb.com
http://www.netmetric-solutions.com
E-mail : khawarb@khawarb.com
-----Original Message-----
From: Joseph Brunner [mailto:joe@affirmedsystems.com]
Sent: Wednesday, August 06, 2008 5:20 PM
To: 'Khawar Butt'; 'Ajay mehra'; ccielab@groupstudy.com
Subject: RE: IOS to IOS VPN across ASA
Of if you're a quant like me and Khawar at this stuff (right Khawar)
You can prevent the routers from doing nat-t so the results and necessary
ACL's are more certain, ESP 50/UDP 500 ONLY!!!;
no crypto ipsec nat-transparency udp-encapsulation
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Khawar Butt
Sent: Wednesday, August 06, 2008 5:03 AM
To: 'Ajay mehra'; ccielab@groupstudy.com
Subject: RE: IOS to IOS VPN across ASA
Hi Ajay,
Another thing you might want to keep an eye out for is that if the Inside
Router (R1) was translated, the Routers would have automatically done NAT-T.
In that case, you don't need to open up ESP on the outside ACL. Instead, you
would open up UDP/500 and UDP/4500.
Best Regards,
Khawar Butt
CCIE#12353 (R/S , Security , SP , Voice)
http://www.khawarb.com
http://www.netmetric-solutions.com
E-mail : khawarb@khawarb.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ajay
mehra
Sent: Wednesday, August 06, 2008 4:48 PM
To: ccielab@groupstudy.com
Subject: Re: IOS to IOS VPN across ASA
I got an answer for my 1st query. in ASA I did not clear xlate table before
initiaing connection from outside. Since there was a previous entry for UDP
port 500 in xlate table I was able to initiate tunnel from outside.
But surely I am looking for the answer on second query until I find it by
myself :).
Thanks,
Ajay
On 06/08/2008, Ajay mehra <ajaymehra01@gmail.com> wrote:
> Hi,
>
>
> I started with IE labs today and was trying to do IOS to IOS IPsec across
> ASA.
> Can you please help me in finding the correct answer for these question
>
>
>
> I have R1---------------ASA-----------------------R2 with R1 on inside and
> R2 on outside network.
>
> R1 is 136.1.121.1 and R2 is 136.1.122.2
>
> 1: To establish Ipsec tunnel using esp we should permit esp on outside
> interface. Also we need to permit udp port 500 for ISAKMP on outside (only
> if we are initiating tunnel from R2). But in my case tunnel comes up even
> though I do not have any access list to permit udp port 500 in outsid
> interface, I am initiating connection from R2.
>
>
> access-list OUTSIDE_IN extended permit icmp any any
> access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
> access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
> access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host
> 136.1.121.1
> access-group OUTSIDE_IN in interface outside
>
> why ISAKMP phase 1 negotiation is sucessful when I initiate connection
from
> R2 even though I do not permit UDP port 500 on outside interface?
>
>
>
> 2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was under
> impression that clearing phase 1 sa will clear phase 2 sa also.
>
> after I do "clea crypto isakm sa" I still have counters incrementing for
> packets encypt and decrypt.
>
>
>
> R2(config-if)#do sh cryp isa sa
> dst src state conn-id slot status
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
> #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
> R2(config-if)#
>
> R2(config-if)#do pi 150.1.1.1 so 150.1.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
> Packet sent with a source address of 150.1.2.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
> #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
> R2(config-if)#
>
>
>
>
>
> Thanks,
>
> Ajay
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART