Filter
Top Products
68-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 68 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters
• When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.
• When enabled, IPsec over TCP takes precedence over all other connection methods.
The ASA implementation of NAT-T supports IPsec peers behind a single NAT/PAT device as follows:
• One LAN-to-LAN connection.
• Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
• Open port 4500 on the ASA.
• Enable IPsec over NAT-T globally in this pane.
• Choose the second or third option for the Fragmentation Policy parameter in the Configuration >
VPN > IPsec > Pre-Fragmentation pane. These options let traffic travel across NAT devices that do
not support IP fragmentation; they do not impede the operation of NAT devices that do support IP
fragmentation.
Enabling IPsec over TCP
IPsec over TCP enables a VPN client to operate in an environment in which standard ESP or IKE cannot
function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates
both the IKE and IPsec protocols within a TCP packet, and enables secure tunneling through both NAT
and PAT devices and firewalls. This feature is disabled by default.
Note This feature does not work with proxy-based firewalls.
IPsec over TCP works with remote access clients. It works on all physical and VLAN interfaces. It is a
client to ASA feature only. It does not work for LAN-to-LAN connections.
• The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec
over UDP, depending on the client with which it is exchanging data.
• The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard
IPsec, IPsec over TCP, NAT-Traversal, or IPsec over UDP.
• When enabled, IPsec over TCP takes precedence over all other connection methods.
You enable IPsec over TCP on both the ASA and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port will no longer work. The consequence is that you can no longer use a browser to manage
the ASA through the IKE-enabled interface. To solve this problem, reconfigure the HTTP/HTTPS
management to different ports.
You must configure TCP port(s) on the client as well as on the ASA. The client configuration must
include at least one of the ports you set for the ASA.
Determining ID Method
During IKE negotiations the peers must identify themselves to each other. You can choose the
identification methods from the following options:
Address Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Hostname Uses the fully-qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.