Example: Configuring the IKE and ESP ALG (CLI)

In this example, you configure the IKE/ESP ALG on the device.

To configure the IKE/ESP ALG:

1. Configure a source NAT pool..
   [edit]user@host# set security nat source pool p1 address 10.10.10.1/32 to 10.10.10.10/32user@host# set security nat source rule-set rs1 from zone greenuser@host# set security nat source rule-set rs1 to zone reduser@host# set security nat source rule-set rs1 rule r1 match source-address 1.1.1.0/24user@host# set security nat source rule-set rs1 rule r1 match destination-address 2.2.2.0/24 user@host# set security nat source rule-set rs1 rule r1 then source-nat pool p1

   Proxy ARP also needs to be configured for all IP addresses in the source NAT pool.

2. Confirm your configuration by entering the show security nat command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show security natsource {pool p1 {address {10.10.10.1/32 to 10.10.10.10/32;}}address-persistent;rule-set rs1 {from zone green;to zone red;rule r1 {match {source-address 1.1.1.0/24;destination-address 2.2.2.0/24;}then {source-nat {pool {p1;}}}}}}
3. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security natuser@host# commit
4. Configure a custom application.
   [edit]user@host# set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat
5. Confirm your configuration by entering the show applications command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show applicationsapplication custom-ike-alg {application-protocol ike-esp-nat;protocol udp;source-port 500;destination-port 500;}
6. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security applicationsuser@host# commit
7. Associate the custom application configured using a policy.
   [edit]user@host# set security zones security-zone green address-book address sa1 1.1.1.0/24user@host# set security zones security-zone red address-book address da1 2.2.2.0/24user@host# set security policies from-zone green to-zone red policy pol1 match source-address sa1user@host# set security policies from-zone green to-zone red policy pol1 match destination-address da1user@host# set security policies from-zone green to-zone red policy pol1 match application custom-ike-alguser@host# set security policies from-zone green to-zone red policy pol1 then permit
8. Confirm your configuration by entering the show security zones command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show security zonessecurity-zone Trust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {ge-0/0/1.0;}}security-zone green {address-book {address sa1 1.1.1.0/24;}}security-zone red {address-book {address da1 2.2.2.0/24;}}
9. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security zonesuser@host# commit

If users want to support both NAT-T-capable and non-capable clients, they need some additional configurations.

1. Globally enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address).
   [edit]user@host# set security nat source address-persistent
2. Confirm your configuration by entering the show applications command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show security natsource {address-persistent;}
3. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security natuser@host# commit
4. Configure the IKE NAT-T application.
   [edit]user@host# set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500
5. Confirm your configuration by entering the show applications command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show applicationsapplication custom-ike-natt {protocol udp;source-port 4500;destination-port 4500;}
6. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security applicationsuser@host# commit
7. Associate the NAT-T application using a policy.
   [edit]user@host# set security policies from-zone green to-zone red policy pol1 match source-address sa1user@host# set security policies from-zone green to-zone red policy pol1 match destination-address da1user@host# set security policies from-zone green to-zone red policy pol1 match application custom-ike-nattuser@host# set security policies from-zone green to-zone red policy pol1 then permit
8. Confirm your configuration by entering the show security policies command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show security policiesfrom-zone green to-zone red {policy pol1 {match {source-address sa1;destination-address da1;application [ custom-ike-alg custom-ike-natt ];}then {permit;}}}default-policy {permit-all;}
9. Commit the configuration if you are done configuring the device.
   [edit]user@host# edit security policiesuser@host# commit

Related Topics

• ALG Overview
• NAT Overview
• Understanding ALG for IKE and ESP
• Understanding ALG for IKE and ESP Operation
• Example: Enabling IKE and ESP ALG and Setting Timeouts (CLI)