1-15
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring ISAKMP
Using NAT-T
To use NAT-T, you must perform the following site-to-site steps in either single or multiple context
mode:
Step 1
Enter the following command to enable IPsec over NAT-T globally on the ASA:
crypto isakmp nat-traversal
natkeepalive
The
range for the
natkeepalive
argument is 10 to 3600 seconds. The default is 20 seconds.
For example, enter the following command to enable NAT-T and set the keepalive value to one hour.
hostname(config)#
crypto isakmp nat-traversal 3600
Step 2
Select the before-encryption option for the IPsec fragmentation policy by entering this command:
hostname(config)#
crypto ipsec fragmentation before-encryption
This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede
the operation of NAT devices that do support IP fragmentation.
Enabling IPsec with IKEv1 over TCP
IPsec/IKEv1 over TCP enables a Cisco VPN client to operate in an environment in which standard ESP
or IKEv1 cannot function or can function only with modification to existing firewall rules. IPsec over
TCP encapsulates both the IKEv1 and IPsec protocols within a TCP-like packet and enables secure
tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.
Note
This feature does not work with proxy-based firewalls.
IPsec over TCP works with remote access clients. You enable it globally, and it works on all
IKEv1-enabled interfaces. It is a client to the ASA feature only. It does not work for LAN-to-LAN
connections.
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over
UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes
precedence over all other connection methods.
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPsec,
IPsec over TCP, NAT-Traversal, or IPsec over UDP.
You enable IPsec over TCP on both the ASA and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port no longer works on the public interface. The consequence is that you can no longer use a
browser to manage the ASA through the public interface. To solve this problem, reconfigure the
HTTP/HTTPS management to different ports.
The default port is 10000.
You must configure TCP port(s) on the client as well as on the ASA. The client configuration must
include at least one of the ports you set for the ASA.
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......