I have been hearing a lot about how to technically make NAT work with IPSec in tunnel mode. We have several different types of VPN servers here at WorldCom and I was wondering if the NAPT built into IOS was going to be outfitted to handle the translation of IPSec? I know that there is a methodology out there that uses different fields in the IPSec header to track translation and would REALLY like to see it implemented in the home office routers like the 800 series.
Let me see if I can help you out with this. From what I understand NAPT can only be used for port specific IP protocols such as TCP or UDP. IP protocols used for VPN tunneling arent port specific and they require their own IP address. By having their own address they provide TCP and UDP while offering VPN protocol support simultaneously. You might want to check with your Cisco rep but I havent seen this with any competing products either, likely for these reasons.
I have a similar need. There is a product from Linksys that can pass IPSec traffic from my NAT'ed address to the VPN server and it works fine. I can even have multiple inside IPSec sessions through a single real address. This is a $100 box. I'd like to see this functionality on our PIX firewalls. If a $100 box can do this, my big, expensive firewall should be able to do the same.
Well, the IETF IPSec working-group has not yet come out with a standard for IPSec over NAT as yet. Cisco has a workaround for IPSec to work when the devices are behind a firewall that does NAT translation (NAT overload) which causes IPSec packets that use ESP and AH protocol combinations to drop packets. This is known as IPSec over UDP and the packet integrity and authenticity are left intact and therefore IPSec works over NAT! This explanation can get as long as you want so let me know if you need further details.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :