All Juniper related discussions.
fleainacup
New Member
Posts:
2
Joined:
Wed Feb 15, 2012 10:21 am
Certs:
SSCP BCCPA

NAT-T and IPSEC

Wed Feb 15, 2012 10:39 am

Overview:

User-> Proxy -> chained to another Proxy -> FWSM -> NAT'ing router (Cisco 7600) -> VPN (Juniper SG250 does encrypt and decrypt on both sides) -> ASA-> F5 -> 2 Web servers



I believe our trouble is with the NAT'ing Router. It essentially NAT's anywhere from 10-16 private IP's to one. From here it is handed up to a VPN that encrypts into IPSEC and is sent over a tunnel. It then is sent to the distant end where it is unencrypted and sent through the distant end ASA -> F5 Loadbalancer-> 2 web servers. The application has extreme latency with this in line. However, if we bypass the top proxy and FWSM and don't NAT then it works great.

We have looked at the obvious issues though it is hard getting distant end troubleshooting. Can someone tell me if this is a NAT-T scenario, or if that only matters if it is one device doing both the NAT'ing and encryption?

Also we don't seem to see a high range of port usage on the NAT'ing router...we have set it for 1025- 64000....we generally dont see it go more than 1025-3000. There is enough traffic with the application to legitimately see more than that. The distant end firewall does show "TCP show port reuse" in their initial SYN packets on Wireshark captures. But for the life of us can't figure out who's reusing the ports. There's actually a multitude of problems there could be but I'm going to stop here for the moment and see if you guys see anything glaringly wrong or have a poinant question. First time post. Cheers.

kj_juniper
New Member
Posts:
9
Joined:
Sun Jul 21, 2013 4:58 am
Certs:
JNICA-FWV,JUNICS-FWV, JNCIA-IDP

Re: NAT-T and IPSEC

Sun Jul 21, 2013 6:52 am

This is not a NAT-T scenario.

NAT-T comes into picture only if there is a natting device in the path of VPN.

for example, say there is a vpn between firewall-1 and firewall-2
[Firewall-1]--------[router that does NAT/PT]--------[firewall-2]

Regards,
KJ

fleainacup
New Member
Posts:
2
Joined:
Wed Feb 15, 2012 10:21 am
Certs:
SSCP BCCPA

Re: NAT-T and IPSEC

Tue Jul 23, 2013 9:11 am

kj_juniper wrote:This is not a NAT-T scenario.

NAT-T comes into picture only if there is a natting device in the path of VPN.

for example, say there is a vpn between firewall-1 and firewall-2
[Firewall-1]--------[router that does NAT/PT]--------[firewall-2]

Regards,
KJ



Thanks for the reply. It turns out for some reason or another our NAT'ing router was not using all the possible ports. We removed that feature from the router and Cisco help us set up the NAT for a different interface on the FWSM for this particular traffic without affecting our other traffic leaving a different interface. Users reported good performance.

Cheers,

Scotty

'

Return to Juniper Networking

Who is online

Users browsing this forum: No registered users and 3 guests

      cron