ASA doesn't handle ESP over PAT. The peers establishes the SAs as ISAKMP uses UDP 500 which are translated but when sending ESP it fails and ASA gives the following error message
asa2# %ASA-3-305006: regular translation creation failed for protocol 50 src ins ide:10.20.30.41 dst outisde:20.10.30.41 %ASA-3-305006: regular translation creation failed for protocol 50 src inside:10 .20.30.41 dst outisde:20.10.30.41 With regards Kings On Mon, Sep 27, 2010 at 8:01 PM, Bruno <[email protected]> wrote: > Is it true to say that either ESP or GRE will not work through ASAs using > PAT? > > > On Mon, Sep 27, 2010 at 11:19 AM, Kingsley Charles < > [email protected]> wrote: > >> I will try and get back Tyson. >> >> With regards >> Kings >> >> >> On Mon, Sep 27, 2010 at 7:46 PM, Tyson Scott <[email protected]> wrote: >> >>> Have you got the second tunnel up and working though yet? >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Managing Partner / Sr. Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> *From:* Kingsley Charles [mailto:[email protected]] >>> *Sent:* Monday, September 27, 2010 10:06 AM >>> *To:* Pieter-Jan Nefkens >>> *Cc:* Tyson Scott; [email protected] >>> >>> *Subject:* Re: [OSL | CCIE_Security] ESP across PAT >>> >>> >>> >>> Hi PJ >>> >>> The first link clearly explains how ICMP works with PAT using sequencial >>> numbers . For ESP, the link says we need to use SPI matching using "ip nat >>> service-list" command. >>> >>> The issue is that I observing the ESP with PAT process working using the >>> SPI matching logic without configuring SPI matching configuration (NAT >>> Support for IPSec ESP - Phase II. Tried reloading but I still see it working >>> without configuration of "ip nat service-list" on the PAT router and >>> "crypto ipsec nat-transparency spi-matching" on the >>> IPSec endpoints. >>> >>> >>> >>> With regards >>> Kings >>> >>> On Mon, Sep 27, 2010 at 7:10 PM, Pieter-Jan Nefkens < >>> [email protected]> wrote: >>> >>> Hi all, >>> >>> >>> >>> Actually, it should work with multiple ESP tunnels and PAT with SPI >>> matching. That is a feature that is introduced in IOS 12.2-something.. >>> >>> >>> >>> Check out: >>> >>> >>> >>> white paper: >>> >>> >>> >>> >>> http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html >>> >>> (Search for multiple ESP through PAT) >>> >>> >>> >>> Feature guide: >>> >>> >>> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.html#wp1057826 >>> >>> >>> >>> I remember this as I was playing around with it once, and I know that at >>> one time, the SPI matching was enabled automatically, I think it was with >>> the 12.4T15 release (a lot of things happend then) >>> >>> >>> >>> HTH >>> >>> >>> >>> PJ >>> >>> >>> >>> >>> >>> >>> >>> On 27 sep 2010, at 15:13, Kingsley Charles wrote: >>> >>> >>> >>> Hi Tyson >>> >>> >>> >>> I had only one ESP tunnel. Is there any specific reason for it not to >>> work? If ICMP can be PATed then ESP can also be PATed right? >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> On Mon, Sep 27, 2010 at 6:39 PM, Tyson Scott <[email protected]> >>> wrote: >>> >>> Kingsley, >>> >>> >>> >>> Did you have more than one IPSec session going thru the router? If it >>> automatically does SPI matching that is new to me but I expect it to not >>> work when you do two ESP tunnels thru the router. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Managing Partner / Sr. Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Monday, September 27, 2010 7:53 AM >>> *To:* [email protected] >>> *Subject:* Re: [OSL | CCIE_Security] ESP across PAT >>> >>> >>> >>> Any thoughts? >>> >>> On Sat, Sep 25, 2010 at 7:24 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>> Hi all >>> >>> >>> >>> We all know that NAT/PAT and firewall might break IPSec. We use NAT-T, >>> IPSec over UDP and IPSec over TCP. >>> >>> >>> >>> Some firewall will not inspect ESP traffic hence by wrapping ESP into TCP >>> or UDP would solve the porblem. >>> >>> >>> >>> Another global problem is NAT or PAT in between IPSec peers. >>> >>> >>> >>> AH won't work either with NAT or PAT as it authenticates the whole >>> packet. So for now lets forget about AH. >>> >>> >>> >>> ESP doesn't authenticate the whole header and hence we can make it work >>> across NAT or PAT devices. >>> >>> >>> >>> Without NAT-T, we can still have ESP across NAT devices by having the >>> remote device to have peer configured as the NATed address. >>> >>> >>> >>> The interesting topic is ESP over PAT. The problem is that ESP doesn't >>> have a port number. How does the PAT device translate the ESP and thus it >>> breaks ESP. Here comes NAT-T which wraps ESP into UDP using port 4500 and >>> hence PAT devices can translate those wrapped packets. >>> >>> >>> >>> I was trying ESP over PAT to see how does IOS breaks IPSec. But it did >>> work. It tracks the translation using the ESP SPI number. I didn't have the >>> IPSec >>> >>> peer and PAT router for "ip nat service" i.e., ESP SPI matching. >>> >>> >>> >>> Which means IOS routers doing PAT doesn't break ESP and is able to handle >>> it. >>> >>> >>> >>> In the same lines, I used to wonder how IOS PAT routers handle ping >>> across. The ICMP echo-request packets also doesn't have port numbers but I >>> see IOS router tracking ICMP requests translations too. >>> >>> >>> >>> >>> >>> So when did this change happen in IOS? IOS router doing PAT doesn't break >>> IPSec using ESP. >>> >>> >>> >>> Please share your thoughts >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >>> --- >>> >>> Nefkens Advies >>> >>> Enk 26 >>> >>> 4214 DD Vuren >>> >>> The Netherlands >>> >>> >>> >>> Tel: +31 183 634730 >>> >>> Fax: +31 183 690113 >>> >>> Cell: +31 654 323221 >>> >>> Email: [email protected] >>> >>> Web: http://www.nefkensadvies.nl/ >>> >>> >>> Think before you print. >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
