Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPSEC pass through and policy based NAT

I intended to share one of my Public IP addresses between two services

1: A HTTPS service on my inside network accessed from the Internet

2 An IPSEC tunnel terminating on an internal device (other end is 4.2.2.2 on the Internet)

Then I realised ESP and AH would also be needed.

I read up on inspect ipsec-pass-thru however, my first impression is that I will have no choice but to use 1 public IP for the IPSEC pass-through and not be able share it with anything else

i.e.

(inside,outside) tcp 1.2.3.4 443 10.1.2.3 443 netmask 255.255.255.255

!

(inside,outside) udp 212.44.8.217 443 10.44.4.248 500 netmask 255.255.255.255

(inside,outside) udp 212.44.8.217 443 10.44.4.248 4500 netmask 255.255.255.255

And, this is where I am stuck. I realise I need to NAT ESP and AH between 4.2.2.2 and 10.1.2.3

Help!

Everyone's tags (1)
1 REPLY
VIP Purple

IPSEC pass through and policy based NAT

First you don't need AH. It's not used for VPNs any more. And you don't need to NAT ESP. If both IPSec-devices are NAT-Traversal enabled, then the whole ESP-communication is encapsulated in UDP/4500.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

314
Views
0
Helpful
1
Replies
CreatePlease to create content