Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8133
Views
5
Helpful
5
Replies

FTD 2130 NAT-T Disable problem

Go to solution
orkhan.rustamli.96
Level 1
Level 1

‎05-29-2019 06:28 AM - edited ‎02-21-2020 09:10 AM

Hi all,

 

Have a problem with NAT-T. I have FTD 2130 device managed by FMC which is terminating all my VPN connections. FTD does not have PUBLIC IP attached to internet, instead I have internet router that is doing 1-to-1 static NAT without any port for VPN termination interface. In this case actually i do not need nat-t but because all my customers` devices support nat-t, it was working well without any problem until today. I must connect new third-party through internet. They use Kerio Control in their side which i think no accepting UDP 4500 connections for VPN. Now I want to disable NAT-T for solving problem but i cannot. There is no option in FMC. I tried FlexConfig but FMC does not accept my configuration as telling "Unsupported CLI". Now I am not sure whether command, really, is not supported or i am doing something wrong. Any help is appreciated. 

 

Thanks in advance!! 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
orkhan.rustamli.96
Level 1
Level 1
In response to orkhan.rustamli.96

‎05-30-2019 01:59 AM

Although FlexConfig does not accept crypto ipsec commands i could disable NAT-T by creating FlexConfig which contained following command "no crypto isakmp nat-t". Previously I tried to delete it in ipsec phase by command "crypto map XXX set nat-t-disable" which was not accapted.

View solution in original post

5 Replies 5

Go to solution
Ilkin
Cisco Employee
Cisco Employee

‎05-29-2019 08:08 AM

Orkhan, salam.

 

Disabling 'Keepalive Messages Traversal' in Advanced settings of a VPN topology under Tunnel setting should fix the issue.

0 Helpful

Go to solution
orkhan.rustamli.96
Level 1
Level 1
In response to Ilkin

‎05-29-2019 09:46 PM

Salam Ilkin,

I forgot to mention that I had already done that with no result. I have found a recent bug CSCvh87734 telling that workoround is using FlexConfig but Flex does not support VPN commands. 

0 Helpful

Go to solution
orkhan.rustamli.96
Level 1
Level 1
In response to orkhan.rustamli.96

‎05-30-2019 01:59 AM

Although FlexConfig does not accept crypto ipsec commands i could disable NAT-T by creating FlexConfig which contained following command "no crypto isakmp nat-t". Previously I tried to delete it in ipsec phase by command "crypto map XXX set nat-t-disable" which was not accapted.

Go to solution
Niss.comps
Level 1
Level 1
In response to orkhan.rustamli.96

‎08-30-2024 05:44 AM

Can we disable it for specific crypto_map sequence number?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Niss.comps

‎08-30-2024 06:12 AM

Make new post it better 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card