25-37
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Understanding NAT in VPNs
Network Address Translation (NAT) enables devices that use internal IP addresses to send and receive
data through the Internet. It converts private, internal LAN addresses into globally routable IP addresses
when they try to access data on the Internet. In this way, NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
NAT enhances the stability of your hub-and-spoke VPN tunnels or remote access connections because
resources required for VPN connections are not used for other purposes, and the VPN tunnel is kept
available for traffic requiring complete security. Sites inside the VPN can use NAT through a split tunnel
to exchange non secure traffic with outside devices, and they do not squander VPN bandwidth or
overwhelm the hub at the tunnel head-end by directing nonessential traffic through it.
Security Manager supports NAT with dynamic IP addressing only, and applies to it an overload feature
that permits what is known as port-level NAT or Port Address Translation (PAT). PAT uses port
addressing to associate thousands of private NAT addresses with a small group of public IP address. PAT
is used if the addressing requirements of your network exceed the available addresses in your dynamic
NAT pool.
Load Balancing Settings
Redirect Connections During
(Remote access VPNs only.)
If you configure load balancing, using the ASA Cluster Load Balance
policy, you can specify the IKEv2 negotiation phase in which a user can
be redirected to another device in the cluster. Select one of these
options:
INIT—Redirect at unauthenticated initiation requests (the first
IKEv2 message IKE_SA_INIT), before any group or user
authentication.
Pros—This option allows the master server to do minimal
processing and state keeping (using CPU and memory) prior to
redirecting the connection.
Cons—This option is not as secure as AUTH (even though
security risks are minimal) because anyone can get a redirected
IP address without authenticating at all.
AUTH (the default)—Redirect during authentication (during
IKE_AUTH). The device still has not identified or authenticated
the user at this point, but it allows the client to authenticate the
server to make sure it can trust the redirection that it receives.
Pros—This option is more secure as the reply is encrypted in
the IKEv2 tunnel and it allows the client side to authenticate
the server before retrying with the redirected IP address,
providing better DoS protection than the INIT option.
Cons—This option requires more processing as the IKEv2
tunnel needs to be almost brought up before redirecting,
although child SAs and data tunnels do not need to be brought
up. The client is not authenticated at all. Note that IKEv1
redirection occurs after group authentication of both sides of
the tunnel.
Table25-6 VPN Global Settings Page, IKEv2 Settings Tab (Continued)
Element Description