Nat-t is used for phase II and not phase I. The router uses udp 500 to establish phase I first, and must use udp 500. This port is not configurable. During the establishment of phase I, the orginal source udp port and ip address is included, so the recieving router will know if NAT has taken place. if NAT has taken place, phase II uses UDP port 4500 (or whatever port is configured) instead of using ESP, which cannot be used when NAT is used.
Dave Craddock wrote: > > Doesn’t the vpn from a router run nat-t by default so if 500 is > blocked it goes to other ports or tcp for the connection > > *From:* [email protected] > [mailto:[email protected]] *On Behalf Of *Asif > Khan > *Sent:* 30 January 2010 12:46 > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] udp port 500 required? > > Hello group, > > > Topology: *R1 <-> ASA <-> R2* > Traffic between R1 lo0(1.1.1.1) and R2 lo0(2.2.2.2) protected by l2l > IPSec. > > I am using the following ACL on both inside and outside interfaces of ASA: > > *access-list VPN extended deny udp any any log* > access-list VPN extended permit esp any any > access-group VPN in interface outside > access-group VPN in interface inside > * > *but I am able to bring up the tunnel from both inside and outside ... > > *Shouldn't blocking udp500/4500 block the tunnel construction?* > > Thanks in Advance, > - Asif > > ------------------------------------------------------------------------ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
