In article , AM wrote: :Imagine I have a PIX behind a router which can do NAT. :Imagine I would use one IP only for this kind of traffic (IPsec).
:What I have to do with my ACL that will allow that traffic to be NAT'ed?
:just
:access-list 100 udp permit 192.168.0.1 500 any 500
You are missing 'host' in appropriate places.
:access-list 100 udp permit 192.168.0.1 4500 any 4500
:or also esp and ah protocols, adding something like this:
:access-list 100 esp permit 192.168.0.1 any :access-list 100 ah permit 192.168.0.1 any
:I know IPsec travels through udp (but not only). So finally my question is how esp protocol is involved in IPsec :traffic? And how to consider it while doing NAT?
There is no point in NAT'ing AH packets. If you are not using nat-traversal then the NAT'ing process will mess up the checksum used by AH and the packets will be discarded. If you are using nat-traversal then the packets will be encapsulated within UDP packets and there won't be any exposed AH packets.
Similarily, if you are using nat-traversal then because the ESP packets will be encapsulated within UDP, there will not be any exposed ESP packets. There would, however, be UDP packets with a dynamic source port going to port 4500 at the destination (but no return packets back!) and the same thing in the other direction (dynamic source, local destination 4500 with no outgoing packets back to that dynamic port.) Tunnel (re-) negotiation is via isakmp (udp 500) packets.
With nat-traversal off, the data is carried in ESP packets, but the tunnel negotiation is isakmp (udp 500) packets.