Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
1
Helpful
1
Replies

Enforce Ipsec over UDP500 only while still having nat server

sudsark
Level 1
Level 1

‎11-11-2025 07:36 PM

Hi There,

We have a setup where we have Ipsec established as given below

Cisco Router << -- >> NAT instance (ec2 aws hosted) <<-->> ASAv.  Now since we are having nat instance and doing translation between hence Ipsec tunnel established using UDP500 and UDP4500 ( for Nat-t) . I have disabled nat-t from asav side but still seeing UDP4500 in action. We have a hard requirement that we have to have Ipsec established only over UDP500 ( since 20K hospital networks having direct conenction and UDP500 only allowed, now with migration to new infra is a challenge due to this ) . 

My question is , is there any way we can enforce the communication to happen only over UDP500 ? Any help is greatly appreciated.

Please let me know if any question. 

Thank You!

 

0 Helpful
1 Reply 1

M02@rt37
VIP
VIP

‎11-11-2025 11:09 PM

Hello @sudsark 

You can not force pure udp_500 IPsec through a NAT device, even if NAT-T is disabled, because the ike nego detect the NAT and re-encapsulate automaticaly.

The only way to use UDP_500 exclusively is to ensure no NAT is present between the peers...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents