Re: ipsec and nat [7:12825]

Thu, 19 Jul 2001 08:18:26 -0700 

Just a small addition to that...  IPSec has rules for only allowing certain
source & destination IP addresses through.  NAT changes IPs & doesn't even
have the same IP/port for each transmission so IPSec would thoroughly be
confused ;)

----- Original Message -----
From: "Ross McCormick" 
To: 
Sent: Thursday, July 19, 2001 3:57 AM
Subject: Re: ipsec and nat [7:12825]


> Two scenarios:
>
> 1)   End point --- NAT --- IPSec --- IPSec --- Endpoint
> 2)   End point --- IPSec --- NAT --- IPSec --- Endpoint
>
> Ignoring fancy tricks, scenario 1 will work whereas 2 will fail.
>
> IPSec encapsalates the IP address within the encrypted packet, so if there
> is a NAT device in the IPSec path the IPSec tunnel will fail.
>
> Cisco have a number of documents regarding the options of dealing with
> NAT/IPSec combinations at TAC, so I recommend starting there.
>
> Ross
>
>
> Fly Ers wrote:
> >
> > Dennis,
> > I am not referring to vpn client, but having a lan-lan vpn
> > setup where
> > networks on both sides of the endpoints are configured with
> > overlapping
> > address space.  one side of the tunnel is a hiding (nat on a
> > non-cisco
> > device) behind one address.  there is a vpn3000 on the other
> > end that can
> > not perform the translation and route it over the IPsec tunnel.
> > thanks.
> >
> >
> > >From: "Dennis H"
> > >Reply-To: "Dennis H"
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: ipsec and nat [7:12825]
> > >Date: Wed, 18 Jul 2001 12:23:48 -0400
> > >
> > >I believe you mean ipsec over nat, as opposed to nat over
> > ipsec... the vpn
> > >concentrators can do it using udp port forwarding but this
> > only work if
> > >you're using Cisco's vpn client.
> > >
> > >
> > >""Fly Ers""  wrote in message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Anyone confirm whether pix, concentrator or ipsec router
> > has the ability
> > >to
> > > > nat over ipsec?  i know that I can nat everything on a
> > router behind one
> > >of
> > > > these devices.
> > > >
> > > > Thanks.
> > > >
> > > >
> > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> > http://explorer.msn.com
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12957&t=12825
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to