ESP though pat

Unanswered Question
Mar 22nd, 2009

i have site to site tunnel between a router (IOS 12.4) and ASA (8.0(3)).

the tunnel is passing a router which is doing patting .

i thought the tunnel was running by nat traversal over udp 4500 by default, but that was not correct.

but when i monitored the translation table over the pat router i found esp traffic is being translated with a strange port number, how that is possible since the esp packet has no port and as i know it should not work with pat without a layer 4 header.

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sushilmenon Mon, 03/23/2009 - 03:56

hi


in the newer ios and on the asa by default nat-t is enabled by default unless u have disabled.


have u checked the ports are they in the udp port range of 10000. cisco implementation supports either the legacy nat-t on the 4500 or the cisco udp 10000.


on some ios i have also noticed when u enable nat on the iso routers. it enabled spi-based nat. where it differtiates the esp traffic on the base of the spi negotiated in the ipsec phase 2.


i am think the strange numbers which u are seeing on the router are the spi numbers.


u can check the spi numbers in the ipsec sa and verify them.


check it and let u know. will surely try to help u out.


Regards


Sushil

bassam.abbasi Wed, 03/25/2009 - 09:59

Hi Sushil

thanks for your reply, and yes indeed the numbers which i found in the nat table are the SPIs, even i don't have nat-t or nat over tcp/udp enabled .


do you know what is that feature called, and is it a standard and supported by all 12.4 IOS releases.


thanks


sushilmenon Wed, 03/25/2009 - 23:45

Hi


i am glad my post was of little help to you.


see the spi based nat is not dependant on nat-t. it;s a cisco feature and not a standard.


by default after 12.3T ios when u enable pat on ios router. and when it sees esp traffic it by default starts spi based nat for esp traffic.


in 12.2T ios this feature had to be enabled manually.


u are working on 12.4 so it;s by default.


the feature is called spi-based nat.


regards


Sushil

Actions

This Discussion