© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec over UDP and IPSec over TCP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon the completion of this lesson, you will be able to perform the following tasks: Describe how address translation works at the port level. Explain the IPSec address translation issue. Describe the three Concentrator translation options. Configure the Concentrator for IPSec over UDP. Configure the Concentrator for NAT Traversal. Configure the Concentrator for IPSec over TCP. Monitor session statistics.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Overview of Port Address Translation
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT Application server NAT Remote office Corporate office Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT (cont.) Application server NAT Remote office Corporate office ? Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PAT – Port Application server Port PAT Remote office Corporate office Port – Port Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PAT (cont.) Application server PAT Remote office Corporate office Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IKE and UDP Issue Concentrator NAT IKE IPSec Dropped Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec over UDPProprietary IPSec over UDP (Proprietary) Cisco VPN Client PAT device Internet Hash Data IP ESP UDP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT TraversalStandards-Based IPSec over UDP NAT-T (Standards-based IPSec over UDP) PAT device Internet 4500 Initiator UDP (X,500) … VID UDP (X, 4500) …NAT-D, NAT-D Responder UDP (500, X) …VID, NAT-D, NAT-D UDP (4500, X) … Concentrator Hash Data IP ESP UDP IP Cisco VPN Client
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec over TCP IPSec over TCP (System-wide) PAT device Internet Hash Data IP ESP TCP IP Cisco VPN Client
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Through PAT Mode
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring IPSec over UDP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Configuration IPSec over UDP Client Concentrator Internet Hash Data IP ESP UDP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client Configuration IPSec over UDP Client Concentrator Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring NAT Traversal
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator ConfigurationNAT-T Client Concentrator Internet Hash Data IP ESP UDP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client ConfigurationNAT-T Client Concentrator Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring IPSec over TCP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN ConcentratorIPSec over TCP Configuration Client Concentrator Internet Hash Data IP ESP TCP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Hardware ClientIPSec over TCP Configuration Concentrator Internet SOHO Hash Data IP ESP TCP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software ClientIPSec over TCP Configuration Client Concentrator Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Monitoring Session Statistics
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client Connection Status Client Concentrator Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Hardware Client Connection Status Client Concentrator Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Monitor Session Client Concentrator Internet Hash Data IP ESP TCP IP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Monitor Session Detail
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary IPSec does not translate through a NAT or PAT device. Configure IPSec over UDP, NAT-T, or TCP in both the Concentrator and clients. For each tunnel type, an applicable port number is defined. IPSec over TCP, NAT-T, or UDP statistics are viewable on both the Concentrator and clients.