Note, the comments below assume that NAT and IPSec are _not_
running on the same device. i.e. You have a NATing device in
between your IPSec endpoints.
NAT and IPSec can co-exist IF:
1) Your using ESP and not AH as the IPSec header
2) Your using tunnel mode
When using AH the entire packet is authenticated with a MAC, so
if any portion of the packet is changed, the packet would be
rejected. i.e. no NAT with AH.
If your using ESP in tunnel mode, even with ESP authentication
only the data portion of the IP packet, i.e. the original IP packet, is
authenticated, so NAT can change the IP header accordingly.
There are several NAT implementations that will perform NAT/PAT
on an IPSec packet in ESP tunnel mode, the Linksys cable
modem/DSL router and the Linux IPChains implementation (with
appropriate kernel patching) are 2 I have personally used.
Unfortunately, the NAT on a cisco router does not play nice with
IPSec. The problem seems to be that the Cisco NAT
implementation doesn't handle an IP packet that isn't TCP or UDP.
Not sure of the more recent implementations of the PIX have the
same issue or not.
HTH,
Kent
On 26 Jan 2001, at 16:31, Ricky Gomez wrote:
> Has anyone ever implemented IPSec along with NAT in your existing network? I
> have read that there is known problems that these two do not play nice
> together. Anyone have any good news on this?
>
> Ricky Gomez
> Email: <mailto:[EMAIL PROTECTED]>
>
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
