Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
1
Replies

IPSEC pass through and policy based NAT

geraghtyconor
Level 1
Level 1

‎08-10-2012 03:08 AM - edited ‎03-11-2019 04:40 PM

I intended to share one of my Public IP addresses between two services

1: A HTTPS service on my inside network accessed from the Internet

2 An IPSEC tunnel terminating on an internal device (other end is 4.2.2.2 on the Internet)

Then I realised ESP and AH would also be needed.

I read up on inspect ipsec-pass-thru however, my first impression is that I will have no choice but to use 1 public IP for the IPSEC pass-through and not be able share it with anything else

i.e.

(inside,outside) tcp 1.2.3.4 443 10.1.2.3 443 netmask 255.255.255.255

!

(inside,outside) udp 212.44.8.217 443 10.44.4.248 500 netmask 255.255.255.255

(inside,outside) udp 212.44.8.217 443 10.44.4.248 4500 netmask 255.255.255.255

And, this is where I am stuck. I realise I need to NAT ESP and AH between 4.2.2.2 and 10.1.2.3

Help!

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎08-10-2012 04:20 AM

First you don't need AH. It's not used for VPNs any more. And you don't need to NAT ESP. If both IPSec-devices are NAT-Traversal enabled, then the whole ESP-communication is encapsulated in UDP/4500.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card