RE: IPSec help

Wed, 31 Jan 2001 08:51:32 -0800 

Can you better describe the environment that you are using.  Are you using
hardware or software to implement IPSec?

Thank you,

Mark Krysinski

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Christopher Larson
Sent: Wednesday, January 31, 2001 12:01 PM
To: 'Ricky Gomez'; '[EMAIL PROTECTED]'
Subject: RE: IPSec help


This should not be a problem on your side when using ESP. With ESP your
traffic is encapsulated, w/o modifying the original packet, and the firewall
forwards to your peer, where the outer packet is stripped revealing the
original data.

 It is the peer that will have a problem as the address you come from will
change as the nat translation changes. The fix for this in the Cisco PIX
environment is to run Dynamic IPSEC lists w/ wild card authentication keys,
or if you are using the host based client software, run IKE mode config on
the side that is recieving data from a NAT'ed peer.

We run multiple IPSEC ESP tunnels to several peers using NAT. We also accept
several tunnels from dial up clients (whose address constantly changes due
to DHCP) using the IKE mode config or wildcard keys and dynamic lists.
AH is a different animal altogether and it does in fact change (or add) to
the datagram. I avoid AH when possible in production environments, so I
cannot comment on it.


-----Original Message-----
From: Ricky Gomez [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 31, 2001 10:43 AM
To: '[EMAIL PROTECTED]'
Subject: IPSec help


Hey all, I'm trying to implement IPsec in my existing network but we are
using NAT. In order for the Encapsulating Secure Payload (ESP) and
Authentication Header (AH) protocol to exit out my network the packet cannot
be modified, in which it is being modified due to Network Address
Translation (NAT), so the connection is terminated.

Does anyone know what appliance I need to invest in, in order to make this
work?

Ricky Gomez
LAN/WAN ENGINEER
Email: <mailto:[EMAIL PROTECTED]>


_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to