nat traversal

Unanswered Question
Sep 16th, 2009
User Badges:

Hi all.

My company has 2 sites each configured with cisco asa5510 with vpn. Originally site A firewall is configured with only ipsec passthrough while site B is configured with both ipsec passthrough and nat traversal. Users at site B could vpn into site A but unable to access any resources at A. However from my home, i could vpn into site A and access network resources within site A. I then added nat-traversal to site A firewall to resolve the problem. Why is this so? Can someone also explain the difference between nat traversal and ipsec passthru? Thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 09/16/2009 - 14:18
User Badges:
  • Green, 3000 points or more

ipsec pass-throgh and NAT-T two different things - same family but diferent purposes, separate them to not get confused.



Ipsec-pass-through beside (inspection engine - which is another topic) it opens up Ipsec VPN ports, in earlier PIX versions 6.x or bellow you had to open up specific ipsec ports by access list instead so that your inside users could vpn outbound to other vpn gateways. In ASA 7.x above you no longer need to do acls to accomplish this, inspect ipsec-pass-through does it.


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168



As for enabling nat-t, short answer simply allows the PIX/ASA or IOS UDP 4500 the detection of NAT devices between them and allow futher negotiating UDP encap ipsec packets.


Coun't explain it better here - to get the picture read this entire link - See number 4 ( the problem ) http://www.ittc.ku.edu/~kpm/ipsec_udp_encap/



Couple of other references - Read the RFC3947 and RFC3948


http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/rfc3947.txt

http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/rfc3948.txt



Actions

This Discussion