Hello everyone.

I have a FTD 2130 firewall sitting behind internet router which is just route all public range we purchased to firewall. In FTD we do not have any Public IP attached to internet, we use Public IPs on NAT configurations with Proxy-ARP. We have one IP that is for Global VPN connections that is not used in any configuration of FTD. However we use it in Internet router in 1-to-1 static nat configuration. The design is as below:

FW(192.168.1.1) -------(192.168.1.2)INET Router(Public IP)-------CLoud.

I have VPN connections working properly with third-party companies. From show commands I see that some of them use NAT-T and some just encapsulates with ESP. I confirmed it from "show ip nat translations" in router. That is as I expected because I was sure that static one to one NAT should not affect VPN and ESP. NAT-T is for PAT designs.

But the problem is I created simple LAB in virtual environment as same design as above and if I disable NAT-T in one end, VPN becomes UP but connection fail. I suspect it because static nat in router.

Now my question is: If I use static 1-to-1 nat (Not any PORT translation) do I still need NAT-T. From my LAB the answer i get is YES. But from my real environment the answer is NO because i have current connections that are not using UDP 4500 but just ESP.

Thanks in Advance!