Re: IOS to IOS VPN across ASA

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Aug 06 2008 - 08:18:55 ART

Ajay, ESP works at layer 3 and therefore has no 'Layer 4' information.
Whereas PAT uses 'ports' to differentiate between the various translation
entries which requies layer 4 information to be present in the packet. On
IOS routers, you can get ESP to work with PAT also, with some fancy tricks
like 'SPI Matching'.

On Wed, Aug 6, 2008 at 12:33 PM, Ajay mehra <ajaymehra01@gmail.com> wrote:

> I am going to try this once you help me to solve NAT-T issue ;)
> with pat enabled I get error message in ASA
> "regular translation creation failed for protocol 50 src
> inside:136.1.121.1dst outside:
> 136.1.122.2"
>
> I quickly searched archives and found this
> "you cannot translate protocol 50 which is esp using PAT you need NAT and a
> static 1 to 1 mapping to allow protocol 50 into the translated ip."
>
> I could not find next thread to confirm this and to answer why can not it
> translate ESP with PAT?
>
> Thanks,
> Ajay
>
>
>
>
>
>
>
> On 06/08/2008, Joseph Brunner <joe@affirmedsystems.com> wrote:
> >
> > Of if you're a quant like me and Khawar at this stuff (right Khawar)
> > You can prevent the routers from doing nat-t so the results and necessary
> > ACL's are more certain, ESP 50/UDP 500 ONLY!!!;
> >
> > no crypto ipsec nat-transparency udp-encapsulation
> >
> > -Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Khawar Butt
> > Sent: Wednesday, August 06, 2008 5:03 AM
> > To: 'Ajay mehra'; ccielab@groupstudy.com
> > Subject: RE: IOS to IOS VPN across ASA
> >
> > Hi Ajay,
> >
> >
> > Another thing you might want to keep an eye out for is that if the Inside
> > Router (R1) was translated, the Routers would have automatically done
> > NAT-T.
> > In that case, you don't need to open up ESP on the outside ACL. Instead,
> > you
> > would open up UDP/500 and UDP/4500.
> >
> > Best Regards,
> >
> > Khawar Butt
> > CCIE#12353 (R/S , Security , SP , Voice)
> > http://www.khawarb.com <http://www.khawarb.com/>
> > http://www.netmetric-solutions.com <http://www.netmetric-solutions.com/>
> > E-mail : khawarb@khawarb.com
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Ajay
> > mehra
> > Sent: Wednesday, August 06, 2008 4:48 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: IOS to IOS VPN across ASA
> >
> > I got an answer for my 1st query. in ASA I did not clear xlate table
> before
> > initiaing connection from outside. Since there was a previous entry for
> UDP
> > port 500 in xlate table I was able to initiate tunnel from outside.
> >
> > But surely I am looking for the answer on second query until I find it by
> > myself :).
> >
> > Thanks,
> > Ajay
> >
> >
> > On 06/08/2008, Ajay mehra <ajaymehra01@gmail.com> wrote:
> >
> > > Hi,
> > >
> > >
> > > I started with IE labs today and was trying to do IOS to IOS IPsec
> across
> > > ASA.
> > > Can you please help me in finding the correct answer for these question
> > >
> > >
> > >
> > > I have R1---------------ASA-----------------------R2 with R1 on inside
> > and
> > > R2 on outside network.
> > >
> > > R1 is 136.1.121.1 and R2 is 136.1.122.2
> > >
> > > 1: To establish Ipsec tunnel using esp we should permit esp on outside
> > > interface. Also we need to permit udp port 500 for ISAKMP on outside
> > (only
> > > if we are initiating tunnel from R2). But in my case tunnel comes up
> even
> > > though I do not have any access list to permit udp port 500 in outsid
> > > interface, I am initiating connection from R2.
> > >
> > >
> > > access-list OUTSIDE_IN extended permit icmp any any
> > > access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
> > > access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
> > > access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host
> > > 136.1.121.1
> > > access-group OUTSIDE_IN in interface outside
> > >
> > > why ISAKMP phase 1 negotiation is sucessful when I initiate connection
> > from
> > > R2 even though I do not permit UDP port 500 on outside interface?
> > >
> > >
> > >
> > > 2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was
> under
> > > impression that clearing phase 1 sa will clear phase 2 sa also.
> > >
> > > after I do "clea crypto isakm sa" I still have counters incrementing
> for
> > > packets encypt and decrypt.
> > >
> > >
> > >
> > > R2(config-if)#do sh cryp isa sa
> > > dst src state conn-id slot status
> > >
> > > R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> > > #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
> > > #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
> > > R2(config-if)#
> > >
> > > R2(config-if)#do pi 150.1.1.1 so 150.1.2.2
> > >
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
> > > Packet sent with a source address of 150.1.2.2
> > > !!!!!
> > > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
> > >
> > > R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> > > #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
> > > #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
> > > R2(config-if)#
> > >
> > >
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Ajay
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART