topic Re: Need to set NAT Traversal with 1:1 NAT? in Network Security

Need to set NAT Traversal with 1:1 NAT?

kay.kang — Fri, 01 Apr 2022 15:24:15 GMT

Hi,

I am trying to use 1:1 Static NAT on NAT enabled device.

There is a firewall behind the NAT enabled device, which will have IPSec setup.

Do I need to set up NAT-T(Traversal) on the firewall in this case using 1:1 Static NAT??

As far as I understand, NAT-T needs to be set when use PAT(Dynamic Port Address Translation).

Re: Need to set NAT Traversal with 1:1 NAT?

Rob Ingram — Fri, 01 Apr 2022 15:47:47 GMT

@kay.kang NAT-T needs to be enabled on both ends, it should be enabled as default. Both devices will attempt to discover if NAT is used and if so, NAT-T will ensure the packets are encapsulated using UDP/4500 instead of ESP.

Re: Need to set NAT Traversal with 1:1 NAT?

MHM Cisco World — Fri, 01 Apr 2022 22:13:44 GMT

Asa1-nat-internet-asa2

If you config peer in asa2 as nat ip of asa1 then you must config static 1:1 PAT

"This PAT open port for esp and 4500"
NAT-T Must enable
simply NAT-T match the identity of ASA1 with the IP source header in IPSec packet.
if not match the IPSec failed.

Re: Need to set NAT Traversal with 1:1 NAT?

kay.kang — Sat, 02 Apr 2022 00:14:19 GMT

Hi Rob,

do you mean NAT-T should also be enabled with the case of using 1:1 Static NAT, which will map the dedicate IP address to the firewall’s private IP address from NAT pool.

I understand NAT-T should be enabled with the case of using PAT, which will translate port number because ESP doesn’t have transport layer encapsulation.

Do we have to care about port translation if we use 1:1 Static NAT using NAT pool?

Re: Need to set NAT Traversal with 1:1 NAT?

kay.kang — Sat, 02 Apr 2022 00:19:29 GMT

Hi,

I am not talking about Static PAT.

I also know NAT-T should be enabled with the case of using PAT because ESP packet doesn’t have transport layer encapsulation.

As reason why want to use 1:1 Static NAT, I don’t want to set static port map.

My question was about the case of using 1:1 Static NAT.

Re: Need to set NAT Traversal with 1:1 NAT?

MHM Cisco World — Sun, 03 Apr 2022 15:33:50 GMT

even if you use static NAT you
need NAT-T

ASA1-NAT-Internet-ASA2

ASA2 receive the IPSec packet with the IP address "mapped not real" as source of these packets
ASA2 then validate the ID of ASA1 which is "real" IP address
it will check IPSec Header IP and ID with your config

if the NAT-T is disable this check is failed

if the NAT-T is enable this check is success