spacer TechWeb
spacer
Planet IT
Search
Planet IT
Other IT Web Sites
 

 Visit


 Browse Planet IT
  Desktop
  E-Business
  Enterprise Apps
    & Systems
  Management Issues
  Mobile & Wireless
  Networks
  Security

 Members Only
  Ask The Experts
  Roundtables

 Public Pages
  Opinions
  Newsletters
  News
  Q&A
  Product Reviews
  Technology Features
  Trends Features

 Help
  Planet IT Tour
  Contact Us
  Forgot Your Password?
  Forgot Your User Name?
  Join Planet IT
  Member Log-In

 Fine Print
  Partners
  Privacy Statement
  Who We Are



TechWeb Sites
  Byte.com
  CMPmetrics
  eBusiness Expo
  File Mine
  InformationWeek
  InternetWeek
  Network Computing
  PC Expo
  TechCalendar
  TechEncyclopedia
  TechLearning
  TechShopper
  TechWeb News
  TechWeb Today
  Wall Street &
    Technology
  Winmag.com


spacer
spacer
spacer
spacer
spacer spacer spacer spacer
spacer
Home : Security : Firewalls : Technology Feature
spacer
Why Can't IPsec and NAT Just Get Along?
PAGE 4 OF 7

In tunnel mode ESP, the TCP/UDP headers are not visible and can't be used to translate between inside and outside. In this discussion, we are assuming that there is only one NAT device in the network. If there are more, they all need to be IPsec-aware to pass traffic properly. Static NAT and ESP IPsec will work just fine, because only the IP addresses are translated, regardless of upper-layer protocols.

Cisco Systems' Cisco 3060 and its VPN client support remote users through NAT by encapsulating the IP packet into UDP before hitting the network. Because the outer UDP and associated IP header aren't protected in any way, they pass through NAT devices of all kinds without a problem. The receiving Cisco 3060 must de-encapsulate the incoming packet and process it. This works only with the Cisco 3000 line.

There are other proposals in the IETF to standardize the encapsulation of IPsec in UDP, notably IPsec NAT-Traversal in the Network Working Group and RSIP (Realm-Specific IP) for end-to-end IPsec in the Network Address Translators Group. SSH Communications Security is making its NAT Traversal Toolkit available later this quarter.

What's Left?

So that leaves us with one situation: ESP IPsec with NAPT. There are two ways that vendors are solving this problem. The simplest way, which allows only one IPsec VPN to pass through the NAPT, is to associate a single workstation that is running IKE with all IPsec packets.

(see image)


Page:1 | 2 | 3 | 4 | 5 | 6 | 7
  Next Page: next page
Write an online comment and share your thoughts on this technology feature with other Planet IT members!

print print this article
email e-mail this article
discuss discuss this article
Related Links
Securing The Corporate Network

FireWall-1 Performance/Security Tuning

Finding An Affordable Path To VPNs

Security Made Simple

Wireless Overcomes Security Woes



TechEncyclopedia

 Define an IT Term
spacer spacer
Desktop  
Desktop Systems, Linux,Windows 2000

E-Business
E-Commerce, New Economy, Web D&D

Enterprise Apps & Systems
Data Management, Enterprise Apps, Storage

Management Issues
Careers & Training, Executive Strategies,
Outsourcing/Services
Mobile & Wireless
Notebooks, PDAs & Handhelds, Wireless Nets and Devices

Networks
Advanced IP Services, Network & Systems Management, Network Systems

Security
Defensive Tools, Firewalls, Hostile Content
spacer


CMPnet spacer