IPSEC pass through and policy based NAT

geraghtyconor — Mon, 11 Mar 2019 23:40:37 GMT

I intended to share one of my Public IP addresses between two services

1: A HTTPS service on my inside network accessed from the Internet

2 An IPSEC tunnel terminating on an internal device (other end is 4.2.2.2 on the Internet)

Then I realised ESP and AH would also be needed.

I read up on inspect ipsec-pass-thru however, my first impression is that I will have no choice but to use 1 public IP for the IPSEC pass-through and not be able share it with anything else

i.e.

(inside,outside) tcp 1.2.3.4 443 10.1.2.3 443 netmask 255.255.255.255

(inside,outside) udp 212.44.8.217 443 10.44.4.248 500 netmask 255.255.255.255

(inside,outside) udp 212.44.8.217 443 10.44.4.248 4500 netmask 255.255.255.255

And, this is where I am stuck. I realise I need to NAT ESP and AH between 4.2.2.2 and 10.1.2.3

Help!

IPSEC pass through and policy based NAT

Karsten Iwen — Fri, 10 Aug 2012 11:20:03 GMT

First you don't need AH. It's not used for VPNs any more. And you don't need to NAT ESP. If both IPSec-devices are NAT-Traversal enabled, then the whole ESP-communication is encapsulated in UDP/4500.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

topic IPSEC pass through and policy based NAT in Network Security

IPSEC pass through and policy based NAT

IPSEC pass through and policy based NAT