RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Thanks Tyson for your advice. I should have included more info. I am trying
to get an understanding of the protocol behavior.

The client is coming from public IP 137.65.x.x address behind FWSM with not
NAT enabled. Are you saying that in this case, the VPN client would not try
to connect via UDP 4500. If we didn't have IPSec over UDP 10000 enabled, it
will default to ESP. If we have IPSec over UDP 10000 enabled, this will be
the default? Am I right?

Thanks.
Amituofo, Amitabha
Kim

-----Original Message-----
From: Tyson Scott [mailto:tscott_at_ipexpert.com]
Sent: Friday, January 22, 2010 9:47 AM
To: 'Kim Teu ??? Teu Kim Loon'; 'Farrukh Haroon'
Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
Subject: RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Kim,

Going back to the original post, it will do you well to add more info in the
future. Is the actual client behind the FWSM being NAT'ed? You have never
given information about whether this is the case or not. If the client is
using public address space or private address space that you route between
the two sites then just because it is behind a firewall does not make the
client attempt to connect via UDP 4500.

Doing things like adding debug output; giving source destination data; and
steps you have taken are going to isolate the problem, make it more likely
that you will get an answer that will help you. A debug crypto isakmp
<somewhere between 127 and 255> on the VPN hub would be a really good place
to start.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Kim
Teu ??? Teu Kim Loon
Sent: Friday, January 22, 2010 10:21 AM
To: 'Farrukh Haroon'
Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
Subject: RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Yes, NAT-T UDP 4500 and IPSec over UDP are working fine. I also have the
"IPSEC over UDP"/NAT-T option on the VPN client enabled. I question is that
when would on protocol used over the other.

Thanks.

Kim

  _____

From: Farrukh Haroon [mailto:farrukhharoon_at_gmail.com]
Sent: Friday, January 22, 2010 4:55 AM
To: Kim Teu ??? Teu Kim Loon
Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
Subject: Re: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Did you enable the "IPSEC over UDP"/NAT-T option on the VPN client? Just
have to check an option in the VPN client properties.

On Fri, Jan 22, 2010 at 12:22 AM, Kim Teu ??? Teu Kim Loon
<kim.teu_at_gmail.com> wrote:

Hello Expert,
When NAT-T, IPSec over UDP 10000 & TCP 10000 is enabled, what's the order of
operation? Is NAT-T always the priority?

I have a ASA VPN head end with Remote Access VPN configured and NAT-T
enabled.

PC User with Cisco VPN client at a remote site behind FWSM is having problem
connecting using UDP 4500. The connection is going over IP-Proto 50. It's
only working when I enabled IPSec over UDP 10000 or allow IP-Proto 50
inbound.

The client site firewall has outbound permit any any.

Any idea why?

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 22 2010 - 09:59:01 ART