IPSEC pass through and policy based NAT

geraghtyconor · ‎08-10-2012

I intended to share one of my Public IP addresses between two services

1: A HTTPS service on my inside network accessed from the Internet

2 An IPSEC tunnel terminating on an internal device (other end is 4.2.2.2 on the Internet)

Then I realised ESP and AH would also be needed.

I read up on inspect ipsec-pass-thru however, my first impression is that I will have no choice but to use 1 public IP for the IPSEC pass-through and not be able share it with anything else

i.e.

(inside,outside) tcp 1.2.3.4 443 10.1.2.3 443 netmask 255.255.255.255

!

(inside,outside) udp 212.44.8.217 443 10.44.4.248 500 netmask 255.255.255.255

(inside,outside) udp 212.44.8.217 443 10.44.4.248 4500 netmask 255.255.255.255

And, this is where I am stuck. I realise I need to NAT ESP and AH between 4.2.2.2 and 10.1.2.3

Help!

Karsten Iwen · ‎08-10-2012

First you don't need AH. It's not used for VPNs any more. And you don't need to NAT ESP. If both IPSec-devices are NAT-Traversal enabled, then the whole ESP-communication is encapsulated in UDP/4500.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni