13 May 2014

NAT-T VPN - What ports are needed to access through a firewall?

This post relates to a IPSEC/ISAKMP connection enabled with the NAT-T feature and establishing its ports used through a firewall.

Basic topology per the below diagram:



Two routers R1 and R3 build a VPN to each other across a NAT translating device (R2).

R1 Configuration:
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key password address 1.1.1.6
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto map VPN_MAP 1 ipsec-isakmp
 set peer 1.1.1.6
 set transform-set 3DES-MD5
 match address VPN_ACL
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.252
 crypto map VPN_MAP
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
ip access-list extended VPN_ACL
 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255


R2 Configuration:
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.252
 ip nat inside
!
interface FastEthernet0/1
 ip address 1.1.1.5 255.255.255.252
 ip nat outside
!
ip nat inside source list NAT_ACL interface FastEthernet0/1 overload
!
ip access-list extended NAT_ACL
 permit ip any any



R3 Configuration:
crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key password
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp nat keepalive 10
crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYN_MAP 1
 set transform-set 3DES-MD5
 set isakmp-profile L2L
!
crypto map VPN_MAP 1 ipsec-isakmp dynamic DYN_MAP
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.1.6 255.255.255.252
 crypto map VPN_MAP
!
ip route 0.0.0.0 0.0.0.0 1.1.1.5
!
ip access-list extended VPN_ACL
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255



Evidence:

VPN is active:

R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.6         1.1.1.1         QM_IDLE           1002    0 ACTIVE

R3#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.6         1.1.1.5         QM_IDLE           1002    0 ACTIVE


NAT-T Ports Used:

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 1.1.1.5:500        1.1.1.1:500        1.1.1.6:500        1.1.1.6:500
udp 1.1.1.5:4500       1.1.1.1:4500       1.1.1.6:4500       1.1.1.6:4500


So there you have it. UDP/500 and UDP/4500 are used for the ISAKMP and NAT-T IPSEC accordingly.
Posted by at