Re: IPSEC through cisco router

From: Darby Weaver (ccie.weaver@gmail.com)
Date: Thu Jan 22 2009 - 12:13:56 ARST

• Next message: Alexei Monastyrnyi: "Re: IPSEC through cisco router"
• Previous message: Marc La Porte: "Re: Understanding the Cisco Documentation"
• Maybe in reply to: Asim Zafar: "IPSEC through cisco router"
• Next in thread: Alexei Monastyrnyi: "Re: IPSEC through cisco router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well...

By default the router is a router and unless you are already filtering,
IPSec will just pass through normally - at least with a Cisco Router.

If you are using a SOHO Router - you need to enable NAT-T or NAT Traversal.

The specific ports are:

IP Protocol 50 or ESP
UDP Port 500 or ISAKMP
UDP 4500 or ESP over UDP

Note: AH or IP Protocol 51 is not used a lot these days due to the fact that
it does NOT work well with NAT Traversal - The reason is self-explanatory -
hint: look at how it handles the packet - so it just does not work well with
NAT by definition.

Don't laugh but I once ran into a self-proclaimed Securirty Guru who
couldn't make the connection between UDP 500 traffic and IPSec - they had
enabled IPSec on their Windows Servers and he opened a ticket with TAC for
about 2+ months, he claimed CiscoWorks had a bug and TAC was working on
it.... I put a Server in it had the same problem. I just asked for a
packet capture with Wireshark... Dude was like.... "How did you know
that?" I was thinking "Dude ought to wear a sign!". Especially if a
Security Expert can not recognize UDP 500 as ISAKMP in 2008. Live and let
live... I wonder if he ever got that IPSec VPN up and running?

Now as for the Private Address Space issue.

You can either NAT on the ASA itself (if your address space is being
advertised to the world) or you can perform the NAT at your Router if you
only have a single IP or only wanted to use a single IP for some reason. If
it's at your house for instance you'd just perform NAT at the router and
forward the ports to your next device of your choice. NAT Traversal itself
would handle the IPSec Traffic magically for you. You can use the Sysopt
command option in the PIX/ASA to perform the same traffic but if you want to
be more granular, then you would prefer to write the ACL and be specific on
where IPSec might or might not be allowed inside your network.

Let me know if you need more.... Offline is fine too.

On 1/22/09, Asim Zafar <asim.mz@gmail.com> wrote:
>
> Dear Group,
>
>
> How can i setup cisco router to pass ipsec ports and create IPSEC
> tunnel behind it on a ASA 5510 which will be on private ip address.
>
>
>
> --
> Thanks & Regards,
>
> Asim Zafar
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Alexei Monastyrnyi: "Re: IPSEC through cisco router"
• Previous message: Marc La Porte: "Re: Understanding the Cisco Documentation"
• Maybe in reply to: Asim Zafar: "IPSEC through cisco router"
• Next in thread: Alexei Monastyrnyi: "Re: IPSEC through cisco router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST