cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
5
Helpful
3
Replies

NAT-T with IPSec

ranga2002
Level 1
Level 1

Hi Friends ,

 

My understanding is that "NAT" work is taking over by "ESP" when it comes to IPSec.

But in my day to day work with firewalls .sometimes inorder to bring IPSec VPN up I have to disable NAT-T.In Some occations I have to do the opposite.(Enable NAT-T from a NAT-T disabled device).

Can anyone explain the reason for this ?

 

Thanks in advance !

3 Replies 3

Ajay Saini
Level 7
Level 7

Hello,

 

The real question is when is NAT-t needed and when we can run IPSec vpn without it. Here is an article which should answer most of your questions, please go through it and post any questions that you might have:

 

https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/15-mt/sec-ipsec-data-plane-15-mt-book/sec-ipsec-nat-transp.pdf

 

HTH
AJ

Thanks Ajay. Actually I read this article before posting the question.

The doubt I have is ,How is the same VPN sometimes require NAT-T and again how it require NAT-T to go online.

Also I meant by "NAT Work" in the question above is the duty of keeping session table upto date in Firewall which is carried out by "ESP" in IPSec environment.I am aware ESP and NAT are not the same.  

 

 

 

NAT-t is a negiotiaton that happens between the peers and we don't have much control over it. Are you saying that the same connection works fine without NAT-t and sometimes works over NAT-t?

 

Well, that could be due to some routing changes on either side due to which a NAT device comes into picture.

 

So, whenever the peers encounter a NAT device into the connection, they negotiate the NAT-t option and otherwise works normally with ESP packets.

 

HTH
AJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: