Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
11342
Views
5
Helpful
6
Replies

crypto map Outside_map 1 set nat-t-disable

Go to solution
mahesh18
Level 6
Level 6

ā€Ž02-20-2016 12:27 AM - edited ā€Ž03-12-2019 12:21 AM

Hi everyone,

Need to know for site to site l2l ipsec tunnels below config

crypto map Outside_map0 7 set nat-t-disable

Will disable the NAT for traffic going from one side of tunnel  to another and vice versa?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

ā€Ž02-20-2016 01:10 AM

NAT-T does not disable NAT for traffic going from one side of the tunnel to another.  NAT-T is a function that allows a VPN tunnel to be formed when there is a NAT device in the path between the two devices which are trying to form a VPN tunnel.  for example.

ASA-------Router NAT device-----Internet----ASA

Say you are trying to establish a VPN between the two ASAs.  Because ESP, which is used to establish the VPN tunnel, does not use ports, the NAT device will have issues keeping track of the VPN traffic.  This will in turn result in the VPN traffic being dropped or not forwarded.

This is why we use NAT Traversal (NAT-T).  NAT traversal encapsulates the ESP inside of UDP on port 4500 by default.  Now the NAT device has a port it can destingquish this VPN traffic on and will be able to track it, and therefore the traffic will be forwarded and the VPN tunnel will be established.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-20-2016 08:53 AM

No you don't.  Why would you need to disable it. Only disable it if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

ā€Ž02-20-2016 01:10 AM

NAT-T does not disable NAT for traffic going from one side of the tunnel to another.  NAT-T is a function that allows a VPN tunnel to be formed when there is a NAT device in the path between the two devices which are trying to form a VPN tunnel.  for example.

ASA-------Router NAT device-----Internet----ASA

Say you are trying to establish a VPN between the two ASAs.  Because ESP, which is used to establish the VPN tunnel, does not use ports, the NAT device will have issues keeping track of the VPN traffic.  This will in turn result in the VPN traffic being dropped or not forwarded.

This is why we use NAT Traversal (NAT-T).  NAT traversal encapsulates the ESP inside of UDP on port 4500 by default.  Now the NAT device has a port it can destingquish this VPN traffic on and will be able to track it, and therefore the traffic will be forwarded and the VPN tunnel will be established.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-20-2016 08:21 AM

Need to confirm with config

set nat-t-disable

 we are not using this feature hoping that in middle we have no  devices that do NAT right?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-20-2016 08:27 AM

NAT -T is enabled by default. But you should know if there is a NAT device at the edge of your network. And the remote site should also know. Traffic will not pass over a NAT device on the Internet. 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-20-2016 08:50 AM

but as per config i need to confirm that NAT-T is disabled right?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

ā€Ž02-20-2016 08:53 AM

No you don't.  Why would you need to disable it. Only disable it if you have a specific need to do so.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

ā€Ž02-20-2016 08:59 AM

Many thanks Marius for answering all the way.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card