Dynamic PAT traversal router can be successfully established without NAT-T IPSec VPN

I. Overview:IPSec VPN has a variety of methods through NAT, NAT-T is one of them. Generally, IPSec VPN cannot cross the NAT device because the ESP traffic does not have a port number as the TCP or UDP traffic does. When the first phase of the test of IPSec VPN is aggressive-mode, it is not intended to appear in the PIX/ASA by default if the NAT-T is not enabled, ipsec vpn can also be established, special record.Ii. Basic Ideas:A. nat-tB is enabled for the vro by default. cisco PIX/ASA does not enable nat-tC by default. if you want to use a NAT-T, both encryption points are required to enable the NAT-T, And the encryption point will use the NAT-T when detecting the need to use the NAT-TD. NAT-T VPN is not enabled, it seems that the PAT router is more intelligent, will automatically pat esp traffic E. if the PAT device in the middle is a firewall and the NAT-T or related technology is not enabled, it should not be crossedIii. Test topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423R048-0.jpg "title =" 1.JPG"/>4. Basic Configuration:A. R1:Interface Ethernet0/0
Ip address 192.168.1.1 255.255.255.0
No shutinterface Loopback0
Ip address 192.168.2.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 192.168.1.2B. R2:Interface Ethernet0/0
Ip address 192.168.1.2 255.255.255.0
Ip nat inside no shutinterface Ethernet0/1
Ip address 202.100.1.2 255.255.255.0
Ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.3ip access-list extended PAT
Permit ip any anyip nat inside source list PAT interface Ethernet0/1 overloadC. R3:Interface Ethernet0/0
Ip address 202.100.1.3 255.255.255.0
No shutinterface Ethernet0/1
Ip address 202.100.2.3 255.255.255.0
No shutD. PIX80:Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 172.16.1.10 255.255.255.0
No shutinterface Ethernet1
Nameif Outside
Security-level 0
Ip address 202.100.2.10 255.255.255.0
No shutroute Outside 0.0.0.0 0.0.0.0 202.100.2.3access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any nat (Inside) 1 access-list PATglobal (Outside) 1 interfaceaccess-list OUTSIDE extended permit icmp any
Access-group OUTSIDE in interface OutsideE. R4:Interface Ethernet0/0
Ip address 172.16.1.4 255.255.255.0
No shutip route 0.0.0.0 0.0.0.0 172.16.1.105. VPN configuration:A. R1:① First-stage strategy:Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share
Group 2
Crypto isakmp identity hostname
Crypto isakmp keepalive 10 periodic
Crypto isakmp peer address 202.100.2.10
Set aggressive-mode password cisco123
Set aggressive-mode client-endpoint fqdn R1② Stage 2 strategy:Crypto ipsec transform-set transet esp-3des esp-md5-hmac③ Interesting stream Configuration:Ip access-list extended VPN
Permit ip 192.168.2.0 0.0.255 172.16.1.0 0.0.0.255④ Configure crypto map and apply it on the interface:Crypto map crymap 10 ipsec-isakmp
Set peer 202.100.2.3
Set transform-set transet
Set pfs group2
Match address VPN
Reverse-routeB. PIX80:① First-stage strategy:Crypto ikev1 policy 10
Authentication pre-share
Encryption 3des
Hash md5
Group 2 crypto isakmp identity hostnametunnel-group 202.100.1.2 type ipsec-l2l
Tunnel-group 202.100.1.2 ipsec-attributes
Ikev1 pre-shared-key cisco123 --- Note: tunnel-group can also use the FQDN of the other party② Stage 2 strategy:Crypto map crymap 10 set transform-set transet③ Configure the stream of interest and enable NAT exemption:Access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.0nat (Inside) 0 access-list NONAT④Configure crypto map and call it on the interface:Crypto map crymap 10 match address VPN
Crypto map crymap 10 set pfs
Crypto map crymap 10 set peer 202.100.1.2
Crypto map crymap 10 set transform-set transet
Crypto map crymap 10 set phase1-mode aggressive
Crypto map crymap 10 set reverse-route
Crypto map crymap interface Outside⑤ Enable isakmp on the interface:Crypto isakmp enable Outside6. test:A. the VPN can only be triggered on the PAT side first:R4 # ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4 # R1 # PING 172.16.1.4 SOUrce 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 MS

B. The ESP traffic is directly encapsulated under the IP Address:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423QW1-1.jpg "title =" 2.JPG"/>

650) this. width = 650; "src =" en-resource: // resourcemap/ea1c1e3e533bf1363adb243450f9e43c "style =" cursor: default; "/> C. You can see that the R2 router automatically performs the ESP bidirectional NAT:R2 # show ip nat translations
Pro Inside global Inside local Outside global
Esp 202.100.1.2: 0 192.168.1.1: 0 202.100.2.10: 0 202.100.2.10: CEC6AC77
Udp 202.100.1.2: 1 192.168.1.1: 500 202.100.2.10: 500 202.100.2.10: 500
Esp 202.100.1.2: 0 192.168.1.1: CCA11424 202.100.2.10: 0 202.100.2.10: 0
Udp 202.100.1.2: 500 202.100.1.2: 500 202.100.2.10: 500 202.100.2.10: 500 D. Enable NAT-T on the firewall, clear SA reconnect, capture the packet can see ESP encapsulated under UDP:--- Use the command: crypto isakmp nat-traversal 10650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06423Q051-2.jpg "title =" 1.JPG"/> R1 # ping 172.16.1.4 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 MS

This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1269704