Enabling Ipsec Over Tcp - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 27
Configuring IPSec and ISAKMP
Configuring ISAKMP
crypto isakmp nat-traversal natkeepalive
natkeepalive is in the range 10 to 3600 seconds. The default is 20 seconds.
For example, enter the following command to enable NAT-T and set the keepalive to one hour.
hostname(config)# crypto isakmp nat-traversal 3600
Select the "before-fragmentation" option for the IPSec fragmentation policy.
Step 2
This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede
the operation of NAT devices that do support IP fragmentation.
Enabling IPSec over TCP
IPSec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or
ISAKMP cannot function, or can function only with modification to existing firewall rules. IPSec over
TCP encapsulates both the ISAKMP and IPSec protocols within a TCP-like packet, and enables secure
tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.
This feature does not work with proxy-based firewalls.
Note
IPSec over TCP works with remote access clients. You enable it globally, and it works on all ISAKMP
enabled interfaces. It is a client to security appliance feature only. It does not work for LAN-to-LAN
connections.
The security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and
IPSec over UDP, depending on the client with which it is exchanging data. IPSec over TCP, if enabled,
takes precedence over all other connection methods.
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec,
IPSec over TCP, NAT-Traversal, or IPSec over UDP.
You enable IPSec over TCP on both the security appliance and the client to which it connects.
You can enable IPSec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port no longer works on the public interface. The consequence is that you can no longer use a
browser to manage the security appliance through the public interface. To solve this problem,
reconfigure the HTTP/HTTPS management to different ports.
The default port is 10000.
You must configure TCP port(s) on the client as well as on the security appliance. The client
configuration must include at least one of the ports you set for the security appliance.
To enable IPSec over TCP globally on the security appliance, enter the following command:
crypto isakmp ipsec-over-tcp [port port 1...port0]
This example enables IPSec over TCP on port 45:
hostname(config)# crypto isakmp ctcp port 45
Cisco Security Appliance Command Line Configuration Guide
27-8
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
