VPN Series- c

IPSec Thru a Firewall

KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Outline
 NAT Transparent Overview
 NAT Detection Process
 IPSec with NAT-T c

 IPSec without NAT-T

NAT Transparent Overview
 As NAT changes the contents of a packet, it could potentially cause a
problem with the Hash.
 ISAKMP solves this by encapsulating the ESP header within an additional
c
header to protect the Hash.
 For this to work, IPSec needs to know if the one or both of the Tunnel
endpoints are getting translated.
 One of the first process that takes place in Phase I [ISAKMP] is NAT
Detection.
 If it detects NAT, it switches over to NAT-T otherwise, it does normal IPSec.
NAT Detection Process
 In the part of NAT, the Tunnel Endpoints send each other a packet which includes
a Hash of the IP Header.
 If the Tunnel Endpoint is translated, the
c Hash will not match letting the Tunnel
Endpoints know that either or both of the devices are getting translated by an
intermediate device. They switch the process to NAT – T.
 When NAT – T is turned on, the ESP header gets encapsulated within a UDP 4500
packet. The ESP hash is protected as the ESP header is within the UDP-4500
packet.
 If the Tunnel Endpoint is not translated, the IPSec works normally using normal
ESP in Phase II.
NAT – T Packet Header

Normal ESP ESP Header IP Header Inner Packet

c
With NAT-T Outer IP Header UDP-4500 ESP Header IP Header Inner Packet
 IPSec Tunnels
10.2.2.0/24 10.3.3.0/24

192.1.20.0/24 192.1.30.0/24
E0/0 (.2) E0/0 (.3)
R2 R3
c
10.4.4.0/24
IPSec Tunnel 2 – R3 [192.1.40.4] – 192.1.30.3
192.1.10.0/24 Outside G0/0 (.10) Interesting Traffic – 10.4.4.0/24 <-> 10.3.3.0/24
IPSec Tunnel 1 – R1 [192.1.10.1] – 192.1.20.2
Interesting Traffic – 10.1.1.0/24 <-> 10.2.2.0/24 192.1.40.0/24
R4

G0/1 (.10)

10.11.11.0/24 Inside

E0/0 (.1)
10.1.1.0/24

R1
 Tunnel 1 - NAT – T
R1 R2

Crypto isakmp policy 10 Crypto isakmp policy 10

authentication pre-share authentication pre-share
hash md5 hash md5
encryption 3des
group 2
c encryption 3des
group 2
Crypto isakmp key cisco123 address 192.1.20.2 Crypto isakmp key cisco123 address 192.1.10.1
! !
Crypto ipsec transform-set TSET esp-3des esp-md5-hmac Crypto ipsec transform-set TSET esp-3des esp-md5-hmac
! !
Access-list 101 permit 10.1.0.0 0.255.255.255 10.2.0.0 0.0.255.255 Access-list 101 permit 10.2.0.0 0.255.255.255 10.1.0.0 0.0.255.255
! !
Crypto map CMAP 5 ipsec-isakmp Crypto map CMAP 5 ipsec-isakmp
match address 101 match address 101
set peer 200.1.1.1 set peer 199.1.1.1
set transform-set TSET set transform-set TSET
! !
Interface E 0/0 Interface E 0/0
crypto map CMAP crypto map CMAP
Tunnel 1 – Firewall NAT & ACL
ASA

Object network R1
host 10.11.11.1
nat (Inside,Outside) static 192.1.10.1
! c
Access-list OUTSIDE permit udp host 192.1.20.2 host 10.11.11.1 eq 500
Access-list OUTSIDE permit udp host 192.1.20.2 host 10.11.11.1 eq 4500
!
Access-group OUTSIDE in interface Outside
Tunnel 2 – Without NAT-T
R4 R3

Crypto isakmp policy 10 Crypto isakmp policy 10

authentication pre-share authentication pre-share
hash md5 hash md5
encryption 3des
group 2
c encryption 3des
group 2
Crypto isakmp key cisco123 address 192.1.30.3 Crypto isakmp key cisco123 address 192.1.40.4
! !
Crypto ipsec transform-set TSET esp-3des esp-md5-hmac Crypto ipsec transform-set TSET esp-3des esp-md5-hmac
! !
Access-list 101 permit 10.4.4.0 0.255.255.255 10.3.3.0 Access-list 101 permit 10.3.3.0 0.255.255.255 10.4.4.0
0.255.255.255 0.0.255.255
! !
Crypto map CMAP 5 ipsec-isakmp Crypto map CMAP 5 ipsec-isakmp
match address 101 match address 101
set peer 192.1.30.3 set peer 192.1.40.4
set transform-set TSET set transform-set TSET
! !
Interface E 0/0 Interface E 0/0
crypto map CMAP crypto map CMAP
Tunnel 1 – ACL
ASA

Access-list OUTSIDE permit udp host 192.1.30.3 host 192.1.40.4 eq 500

Access-list OUTSIDE permit esp host 192.1.30.3 host 192.1.40.4
!
Access-group OUTSIDE in interface Outside c