This document provides a sample configuration for an IPSec tunnel through a firewall that performs network address translation (NAT). This configuration does not work with port address translation (PAT) if you use Cisco IOS® Software Releases prior to and not including 12.2(13)T. This kind of configuration can be used to tunnel IP traffic. This cannot be used to encrypt traffic that does not go through a firewall, such as IPX or routing updates. Generic routing encapsulation (GRE) tunneling is appropriate for that kind of configuration. In the example in this document, the Cisco 2621 and 3660 Routers are the IPSec tunnel endpoints that join two private networks, with conduits or access control lists (ACLs) on the PIX in between to allow the IPSec traffic.
Note: NAT is a one-to-one address translation, not to be confused with PAT, which is a many (inside the firewall)-to-one translation. Refer to Verifying NAT Operation and Basic NAT Troubleshooting or How NAT Works for more information on NAT operation and configuration.
Note: IPSec with PAT might not work properly because the outside tunnel endpoint device cannot handle multiple tunnels from one IP address. You need to contact your vendor to determine if the tunnel endpoint devices work with PAT. Additionally, in versions 12.2(13)T and later, the NAT Transparency feature can also be used for PAT. Refer to IPSec NAT Transparency for more information. Refer to Support for IPSec ESP Through NAT for more information about these features in versions 12.2(13)T and later. Also, before you open a case with TAC, refer to NAT Frequently Asked Questions, which has many answers to common questions.
Refer to IPsec Tunnel Pass Through a Security Appliance With use of Access List and MPF with NAT Configuration Example for more information on how to configure an IPSec tunnel through a firewall with NAT on PIX/ASA version 7.x.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco IOS Software Release12.0.7.T [up to but not including 12.2(13)T]
Refer to IPSec NAT Transparency for more recent versions.
Cisco 2621 Router that runs Cisco IOS Software Release 12.4
Cisco 3660 Router that runs Cisco IOS Software Release 12.4
Cisco PIX Firewall that runs 6.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. These are RFC 1918 addresses which have been used in a lab environment.
This document uses these configurations:
|Cisco 2621 Configuration|
Current configuration: ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname goss-2621 ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 isdn voice-call-failure 0 cns event-service server ! !--- IKE Policy crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 10.99.99.2 ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap local-address FastEthernet0/1 !--- IPSec Policy crypto map mymap 10 ipsec-isakmp set peer 10.99.99.2 set transform-set myset !--- Include the private-network-to-private-network traffic !--- in the encryption process. match address 101 ! controller T1 1/0 ! interface FastEthernet0/0 ip address 10.2.2.1 255.255.255.0 no ip directed-broadcast duplex auto speed auto ! interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast duplex auto speed auto !--- Apply to interface. crypto map mymap ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.1 no ip http server !--- Include the private-network-to-private-network traffic !--- in the encryption process. access-list 101 permit ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255 line con 0 transport input none line aux 0 line vty 0 4 ! no scheduler allocate end
|Cisco PIX Firewall Partial Configuration|
fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 !--- The fixup protocol esp-ike command is disabled by default. fixup protocol esp-ike ip address outside 10.99.99.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 !--- Range of registered IP addresses for use. global (outside) 1 10.99.99.50-10.99.99.60 !--- Translate any internal source address when !--- going out to the Internet. nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0 !--- or access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12 access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500 !--- It is important to permit UDP port 4500 for NAT-T because the PIX is acting !--- as a NAT device between the routers. access-group acl-out in interface outside isakmp enable outside isakmp enable inside Command configured in order to enable NAT-T isakmp nat-traversal 20 route outside 0.0.0.0 0.0.0.0 184.108.40.206 1 route inside 10.2.2.0 255.255.255.0 10.1.1.2 1
Note: The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the PIX Firewall preserves the source port of the Internet Key Exchange (IKE). It also creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.
|Cisco 3660 Configuration|
version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname goss-3660 ! ip subnet-zero ! cns event-service server ! !--- IKE Policy crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 10.99.99.12 ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap local-address FastEthernet0/0 !--- IPSec Policy crypto map mymap 10 ipsec-isakmp set peer 10.99.99.12 set transform-set myset !--- Include the private-network-to-private-network traffic !--- in the encryption process. match address 101 ! interface FastEthernet0/0 ip address 10.99.99.2 255.255.255.0 no ip directed-broadcast ip nat outside duplex auto speed auto !--- Apply to interface. crypto map mymap ! interface FastEthernet0/1 ip address 10.3.3.1 255.255.255.0 no ip directed-broadcast ip nat inside duplex auto speed auto ! interface Ethernet3/0 no ip address no ip directed-broadcast shutdown ! interface Serial3/0 no ip address no ip directed-broadcast no ip mroute-cache shutdown ! interface Ethernet3/1 no ip address no ip directed-broadcast interface Ethernet4/0 no ip address no ip directed-broadcast shutdown ! interface TokenRing4/0 no ip address no ip directed-broadcast shutdown ring-speed 16 ! !--- Pool from which inside hosts translate to !--- the globally unique 10.99.99.0/24 network. ip nat pool OUTSIDE 10.99.99.70 10.99.99.80 netmask 255.255.255.0 !--- Except the private network from the NAT process. ip nat inside source route-map nonat pool OUTSIDE ip classless ip route 0.0.0.0 0.0.0.0 10.99.99.1 no ip http server ! !--- Include the private-network-to-private-network traffic !--- in the encryption process. access-list 101 permit ip 10.3.3.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 101 deny ip 10.3.3.0 0.0.0.255 any !--- Except the private network from the NAT process. access-list 110 deny ip 10.3.3.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 110 permit ip 10.3.3.0 0.0.0.255 any route-map nonat permit 10 match ip address 110 ! line con 0 transport input none line aux 0 line vty 0 4 ! end
Use this section to confirm that your configuration works properly.
show crypto ipsec sa—Shows the phase 2 security associations.
show crypto isakmp sa—Shows the phase 1 security associations.
show crypto engine connections active—Use to see the encrypted and decrypted packets.
Use this section to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug crypto engine—Shows the traffic that is encrypted.
debug crypto ipsec—Use to see the IPSec negotiations of phase 2.
debug crypto isakmp—Use to see the ISAKMP negotiations of phase 1.
clear crypto isakmp—Clears IKE security associations.
clear crypto ipsec sa—Clears IPSec security associations.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.