Assigning A Crypto-List To An Interface - Avaya G250 Administration

Note:
NAT Traversal is enabled by default. Configure NAT-Traversal only if you need to
Note:
re-enable it after it was disabled using the no crypto ipsec
nat-transparency udp-encapsulation command.
NAT Traversal keepalive is also enabled by default (with a default value of 20
seconds). Configure NAT Traversal keepalive only if you need to re-enable it after
it was disabled using the no crypto isakmp nat keepalive command.
Configure NAT Traversal
1. Enable NAT Traversal by using the crypto ipsec nat-transparency
udp-encapsulation command:
G350-001# crypto ipsec nat-tranparency udp-encapsulation
G350-001# Done!
2. Enable NAT Traversal keepalives and configure the keepalive interval (in seconds), using
the crypto isakmp nat keepalive command, followed by a number between 5 and
3600.
NAT Traversal keepalives are empty UDP packets that the device sends on a periodic
basis at times of inactivity when a dynamic NAT is detected along the way. These
keepalives are intended to maintain the NAT translation alive in the NAT device, and not let
it age-out due to periods of inactivity. Set the NAT Traversal keepalive interval on the
G250/G350 to be less than the NAT translation aging time on the NAT device.
G350-001# crypto isakmp nat keepalive 60
G350-001# Done!

Assigning a crypto-list to an interface

A crypto-list is activated on an interface. You can assign multiple crypto-lists to different
interfaces on the G250/G350.
1. Enter interface context using the interface command.
G350-001# interface FastEthernet 10/2
G350-001(config-if:FastEthernet 10/2)#
2. Configure the IP address of the interface. You can configure either a static or a dynamic IP
address.
To configure a static IP address:
●
- Make sure to specify an IP address (not an interface name) as the
local-address in the crypto-list (see
Configuring a site-to-site IPSec VPN
Configuring crypto-lists
Issue 3 February 2007
on page 464).
469