Cisco ASA 5505 Configuration Manual page 1282

Setting IKE Parameters
When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.
•
When enabled, IPsec over TCP takes precedence over all other connection methods.
•
The adaptive security appliance implementation of NAT-T supports IPsec peers behind a single
NAT/PAT device as follows:
One LAN-to-LAN connection.
•
Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
•
To use NAT-T you must:
Open port 4500 on the adaptive security appliance.
•
Enable IPsec over NAT-T globally in this pane.
•
Choose the second or third option for the Fragmentation Policy parameter in the Configuration >
•
VPN > IPsec > Pre-Fragmentation pane. These options let traffic travel across NAT devices that do
not support IP fragmentation; they do not impede the operation of NAT devices that do support IP
fragmentation.
Enabling IPsec over TCP
IPsec over TCP enables a VPN client to operate in an environment in which standard ESP or IKE cannot
function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates
both the IKE and IPsec protocols within a TCP packet, and enables secure tunneling through both NAT
and PAT devices and firewalls. This feature is disabled by default.
This feature does not work with proxy-based firewalls.
Note
IPsec over TCP works with remote access clients. It works on all physical and VLAN interfaces. It is a
client to adaptive security appliance feature only. It does not work for LAN-to-LAN connections.
The adaptive security appliance can simultaneously support standard IPsec, IPsec over TCP,
•
NAT-Traversal, and IPsec over UDP, depending on the client with which it is exchanging data.
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard
•
IPsec, IPsec over TCP, NAT-Traversal, or IPsec over UDP.
When enabled, IPsec over TCP takes precedence over all other connection methods.
•
You enable IPsec over TCP on both the adaptive security appliance and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port will no longer work. The consequence is that you can no longer use a browser to manage
the adaptive security appliance through the IKE-enabled interface. To solve this problem, reconfigure
the HTTP/HTTPS management to different ports.
You must configure TCP port(s) on the client as well as on the adaptive security appliance. The client
configuration must include at least one of the ports you set for the adaptive security appliance.
Determining ID Method
During IKE negotiations the peers must identify themselves to each other. You can choose the
identification methods from the following options:
Address
Hostname
Cisco ASA 5500 Series Configuration Guide using ASDM
63-2
Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Uses the fully-qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Chapter 63 Configuring IKE, Load Balancing, and NAC
OL-20339-01