Dynamic PAT traversal router can be successfully established without NAT-T IPSec VPN

Source: Internet
Author: User

I. Overview:IPSec VPN has a variety of methods through NAT, NAT-T is one of them. Generally, IPSec VPN cannot cross the NAT device because the ESP traffic does not have a port number as the TCP or UDP traffic does. When the first phase of the test of IPSec VPN is aggressive-mode, it is not intended to appear in the PIX/ASA by default if the NAT-T is not enabled, ipsec vpn can also be established, special record.Ii. Basic Ideas:A. nat-tB is enabled for the vro by default. cisco PIX/ASA does not enable nat-tC by default. if you want to use a NAT-T, both encryption points are required to enable the NAT-T, And the encryption point will use the NAT-T when detecting the need to use the NAT-TD. NAT-T VPN is not enabled, it seems that the PAT router is more intelligent, will automatically pat esp traffic E. if the PAT device in the middle is a firewall and the NAT-T or related technology is not enabled, it should not be crossedIii. Test topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423R048-0.jpg "title =" 1.JPG"/>4. Basic Configuration:A. R1:Interface Ethernet0/0
Ip address 192.168.1.1 255.255.255.0
No shutinterface Loopback0
Ip address 192.168.2.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 192.168.1.2B. R2:Interface Ethernet0/0
Ip address 192.168.1.2 255.255.255.0
Ip nat inside no shutinterface Ethernet0/1
Ip address 202.100.1.2 255.255.255.0
Ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.3ip access-list extended PAT
Permit ip any anyip nat inside source list PAT interface Ethernet0/1 overloadC. R3:Interface Ethernet0/0
Ip address 202.100.1.3 255.255.255.0
No shutinterface Ethernet0/1
Ip address 202.100.2.3 255.255.255.0
No shutD. PIX80:Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 172.16.1.10 255.255.255.0
No shutinterface Ethernet1
Nameif Outside
Security-level 0
Ip address 202.100.2.10 255.255.255.0
No shutroute Outside 0.0.0.0 0.0.0.0 202.100.2.3access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any nat (Inside) 1 access-list PATglobal (Outside) 1 interfaceaccess-list OUTSIDE extended permit icmp any
Access-group OUTSIDE in interface OutsideE. R4:Interface Ethernet0/0
Ip address 172.16.1.4 255.255.255.0
No shutip route 0.0.0.0 0.0.0.0 172.16.1.105. VPN configuration:A. R1:① First-stage strategy:Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share
Group 2
Crypto isakmp identity hostname
Crypto isakmp keepalive 10 periodic
Crypto isakmp peer address 202.100.2.10
Set aggressive-mode password cisco123
Set aggressive-mode client-endpoint fqdn R1② Stage 2 strategy:Crypto ipsec transform-set transet esp-3des esp-md5-hmac③ Interesting stream Configuration:Ip access-list extended VPN
Permit ip 192.168.2.0 0.0.255 172.16.1.0 0.0.0.255④ Configure crypto map and apply it on the interface:Crypto map crymap 10 ipsec-isakmp
Set peer 202.100.2.3
Set transform-set transet
Set pfs group2
Match address VPN
Reverse-routeB. PIX80:① First-stage strategy:Crypto ikev1 policy 10
Authentication pre-share
Encryption 3des
Hash md5
Group 2 crypto isakmp identity hostnametunnel-group 202.100.1.2 type ipsec-l2l
Tunnel-group 202.100.1.2 ipsec-attributes
Ikev1 pre-shared-key cisco123 --- Note: tunnel-group can also use the FQDN of the other party② Stage 2 strategy:Crypto map crymap 10 set transform-set transet③ Configure the stream of interest and enable NAT exemption:Access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.0nat (Inside) 0 access-list NONATConfigure crypto map and call it on the interface:Crypto map crymap 10 match address VPN
Crypto map crymap 10 set pfs
Crypto map crymap 10 set peer 202.100.1.2
Crypto map crymap 10 set transform-set transet
Crypto map crymap 10 set phase1-mode aggressive
Crypto map crymap 10 set reverse-route
Crypto map crymap interface Outside⑤ Enable isakmp on the interface:Crypto isakmp enable Outside6. test:A. the VPN can only be triggered on the PAT side first:R4 # ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4 # R1 # PING 172.16.1.4 SOUrce 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 MS

B. The ESP traffic is directly encapsulated under the IP Address:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423QW1-1.jpg "title =" 2.JPG"/>

650) this. width = 650; "src =" en-resource: // resourcemap/ea1c1e3e533bf1363adb243450f9e43c "style =" cursor: default; "/> C. You can see that the R2 router automatically performs the ESP bidirectional NAT:R2 # show ip nat translations
Pro Inside global Inside local Outside global
Esp 202.100.1.2: 0 192.168.1.1: 0 202.100.2.10: 0 202.100.2.10: CEC6AC77
Udp 202.100.1.2: 1 192.168.1.1: 500 202.100.2.10: 500 202.100.2.10: 500
Esp 202.100.1.2: 0 192.168.1.1: CCA11424 202.100.2.10: 0 202.100.2.10: 0
Udp 202.100.1.2: 500 202.100.1.2: 500 202.100.2.10: 500 202.100.2.10: 500 D. Enable NAT-T on the firewall, clear SA reconnect, capture the packet can see ESP encapsulated under UDP:--- Use the command: crypto isakmp nat-traversal 10650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423Q051-2.jpg "title =" 1.JPG"/> R1 # ping 172.16.1.4 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 MS

This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1269704

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.