Introduction
This document provides a sample configuration for an IPSec tunnel through a firewall that performs network address translation (NAT). This configuration does not work with port address translation (PAT) if you use Cisco IOS® Software Releases prior to and not including 12.2(13)T. This kind of configuration can be used to tunnel IP traffic. This cannot be used to encrypt traffic that does not go through a firewall, such as IPX or routing updates. Generic routing encapsulation (GRE) tunneling is appropriate for that kind of configuration. In the example in this document, the Cisco 2621 and 3660 Routers are the IPSec tunnel endpoints that join two private networks, with conduits or access control lists (ACLs) on the PIX in between to allow the IPSec traffic.
Note: NAT is a one-to-one address translation, not to be confused with PAT, which is a many (inside the firewall)-to-one translation. Refer to Verifying NAT Operation and Basic NAT Troubleshooting or How NAT Works for more information on NAT operation and configuration.
Note: IPSec with PAT might not work properly because the outside tunnel endpoint device cannot handle multiple tunnels from one IP address. You need to contact your vendor to determine if the tunnel endpoint devices work with PAT. Additionally, in versions 12.2(13)T and later, the NAT Transparency feature can also be used for PAT. Refer to IPSec NAT Transparency for more information. Refer to Support for IPSec ESP Through NAT for more information about these features in versions 12.2(13)T and later. Also, before you open a case with TAC, refer to NAT Frequently Asked Questions, which has many answers to common questions.
Refer to IPsec Tunnel Pass Through a Security Appliance With use of Access List and MPF with NAT Configuration Example for more information on how to configure an IPSec tunnel through a firewall with NAT on PIX/ASA version 7.x.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco IOS Software Release12.0.7.T [up to but not including 12.2(13)T]
Refer to IPSec NAT Transparency for more recent versions.
-
Cisco 2621 Router that runs Cisco IOS Software Release 12.4
-
Cisco 3660 Router that runs Cisco IOS Software Release 12.4
-
Cisco PIX Firewall that runs 6.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to find more information on the commands used in this document.
Network Diagram
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. These are RFC 1918 addresses which have been used in a lab environment.
Configurations
This document uses these configurations:
Cisco 2621 Configuration |
---|
Current configuration: |
Cisco PIX Firewall Partial Configuration |
---|
fixup protocol dns maximum-length 512 |
Cisco 3660 Configuration |
---|
version 12.4 |
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
-
show crypto ipsec sa—Shows the phase 2 security associations.
-
show crypto isakmp sa—Shows the phase 1 security associations.
-
show crypto engine connections active—Use to see the encrypted and decrypted packets.
Troubleshoot
Use this section to troubleshoot your configuration.
Troubleshooting Commands
Note: Refer to Important Information on Debug Commands before you use debug commands.
-
debug crypto engine—Shows the traffic that is encrypted.
-
debug crypto ipsec—Use to see the IPSec negotiations of phase 2.
-
debug crypto isakmp—Use to see the ISAKMP negotiations of phase 1.
Clearing Security Associations
-
clear crypto isakmp—Clears IKE security associations.
-
clear crypto ipsec sa—Clears IPSec security associations.