09-05-2018 08:48 PM - edited 02-21-2020 08:12 AM
Hi Friends ,
My understanding is that "NAT" work is taking over by "ESP" when it comes to IPSec.
But in my day to day work with firewalls .sometimes inorder to bring IPSec VPN up I have to disable NAT-T.In Some occations I have to do the opposite.(Enable NAT-T from a NAT-T disabled device).
Can anyone explain the reason for this ?
Thanks in advance !
09-05-2018 09:17 PM
Hello,
The real question is when is NAT-t needed and when we can run IPSec vpn without it. Here is an article which should answer most of your questions, please go through it and post any questions that you might have:
https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
HTH
AJ
09-05-2018 10:25 PM
Thanks Ajay. Actually I read this article before posting the question.
The doubt I have is ,How is the same VPN sometimes require NAT-T and again how it require NAT-T to go online.
Also I meant by "NAT Work" in the question above is the duty of keeping session table upto date in Firewall which is carried out by "ESP" in IPSec environment.I am aware ESP and NAT are not the same.
09-06-2018 02:28 AM
NAT-t is a negiotiaton that happens between the peers and we don't have much control over it. Are you saying that the same connection works fine without NAT-t and sometimes works over NAT-t?
Well, that could be due to some routing changes on either side due to which a NAT device comes into picture.
So, whenever the peers encounter a NAT device into the connection, they negotiate the NAT-t option and otherwise works normally with ESP packets.
HTH
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide