Hi Tyson GETVPN GMs just use the SAs sent from the KS. If we have NAT between the GMs, then ESP tunnel between the GMs will fail right as ESP can't be NATed.
Since the ESP SAs are downloaded, Gms has no option for NAT-T. How do we handle this case of NAT being between the GMs in real time? With regards Kings On Wed, Jun 2, 2010 at 8:59 PM, Tyson Scott <[email protected]> wrote: > Make sure you configure it for all line numbers that show up in the > configuration. So check to see if they have changed the default values. > > > > If ICMP payload is 1000 bytes then the packet is actually at least 1020 > bytes with the IP header. You should probably start at 980 or some number > around there if not paying attention to headers. > > > > If no group members are behind the ASA then just UDP 848. If GM are behind > the ASA then 848, ESP, and UDP 4500 if you have NAT enabled. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Dnyaneshwar Gore > *Sent:* Wednesday, June 02, 2010 10:48 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Some general queries > > > > Hi All, > > 1. Swith VTY line numbers = If question asks to implement aaa > authentication on telnet lines on switch & router then which line numbers we > should consider from exam point of view? > Is it > > - VTY 0 4 > - VTY 0 15 > - VTY 0 807 > > 2. Large ICMP IP Signature tuning = > > There are two separate questions on large ICMP signature > > - Configure a signature to fire if the size of an ICMP Packet is 5000 > bytes. > - Fire an alarm if the size of an ICMP packet is greater than 1000 > bytes. > > We should configure "ICMP total length = 5000" for first question. > > And "IP payload length = 1000-65535" for second question. > > Is this solution correct? > > 3. What ports need to be opened for GET-VPN in ASA if KS is behind NAT > device? > Are they: udp 500, 4500 and 848? > > > Regards, > DMG > > No virus found in this incoming message. > > Checked by AVG - www.avg.com > Version: 9.0.819 / Virus Database: 271.1.1/2913 - Release Date: 06/02/10 > 05:57:00 > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
