What is Teneo?
Teneo (Latin - TAYN-ay-oh) To grasp, To know, To understand.
Recent Posts
- My Blog has moved to “My Teneo !!!”
- Redirecting WordPress to Liferay Blogs
- New Blog Site soon!
- Liferay 6+ and Blog Portlet Ideas
- HP Les Stuart Interview
- Interop 2011 finishes – Systems Mgmt
- HP’s Network Management with FlexNetwork Architecture
- HP FlexNetwork Architecture
- Sophos vs McAfee: Is there a winner?
- Syslog-ng and filters
- Network Management: What is it?
- Diagramming with OmniGraffle Pro 5: Useless Subgraphs
- My System Engineer’s toolkit for Mac
- The general rules of networking.
- Enterprise Network Rule 1: Always Plan for Problems
My Latest Tweets:
- Me??? Really?!? @ Panda Express instagram.com/p/B2cSq0YBxGl/… 3 months ago
- Anyone in the Chicago area interested in Solutions Architecture with a great company?!? jobs.jobvite.com/extrahop-netwo… 3 months ago
- @_NickWhite Yeah. Sadly. And sorry for the late reply 3 months ago
- Anyone develop anything with Plone? I used to years ago (archetypes). Now, I have a need and wondering if I shoul… twitter.com/i/web/status/1… 3 months ago
- @etherealmind @networkservice IMO, if you are forced to go through a Customer Success Manager in order to "be succe… twitter.com/i/web/status/1… 3 months ago
Speaking of IPSEC and NAT…
What is the rule in which you would need to implement NAT-T for a VPN tunnel? I always hear it’s when a NAT device is sitting inbetween the two devices participating in the tunnel, however, I have seen that work without NAT-T as well. Or maybe NAT-T was on by default and I didn’t know it?
Thoughts?
It’s been my understanding, that you are correct. See, IPSec does not like any device messing with it’s packets. To do so, would break the security that IPSec implements. Not only that, but NAT uses ports to map the global connection to the local connection. However, IPSec doesn’t have ports, only a protocol number (protocol 50 if memory serves). Since IPSec doesn’t use ports, how can NAT properly NAT it?
So, now comes NAT-T (or NAT Traversal). This is where the peer encapsulates the IPSec packets inside a UDP Packet, and UDP CAN traverse through NAT, but both sides must be configured for it, as the remote peer would have to decapsulate it, in order to read the packet.
The only time I’ve not used NAT-T, and it still work across NAT’d routers is because I would configure the Cisco VPN CLient (and concentrator) to use TCP Port 80 to establish all the sessions (in that case, I’m not encapsulating in UDP, but rather TCP, and port 80 is usually allowed through most firewalls). Doing so would not require NAT-T. Could that be it?
Dear Aaron,
Thanks for your posting.
I have really been struggling with having a remote access vpn client terminate on the outside interface of an ASA 5505 and am battling to implement your suggestion here to give the client strict access to the dmz. Would it be possible to post a portion/entire configuration of what you posted initially to give me a better idea?
Blessings,
Dion
Great tip! Thanks!