Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30449
Views
25
Helpful
5
Replies

Nat traversal

Go to solution
prashantrecon
Level 1
Level 1

‎09-08-2011 11:20 PM - edited ‎03-11-2019 02:22 PM

What is the exact use of nat traversal .Can anyone explain with a scenario.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to prashantrecon

‎09-09-2011 12:33 AM

Hi Prashant,

this is under the VPN Profile ur  connecting to on the transport tab12:30 PM
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp226433112:31 PM
by default on ASA NAT-T is  enabled 12:32 PM
crypto isakmp  nat-traversal is the command

If a remote client is coming from a direct public ip address.. like a publically hosted server, then it connects over the tunnel like the regular tunnel establishes.. over UDP port 500, but if a client comes from behind a NATd ip address.. like airtel ADSL modem.. where u have a priv ip address.. but ISP PATs/NATs it.., then it connects over UDP 500.. but is encapsulated by another header.. the NAt-T header.


and it communicates over UDP 4500...  then on the headend device.. like ASA you need to have NAT-T enabled 

when u have NAT-T enabled.. both NATd clients and clients with public ip will be able to connect

but if u dont then only clients wih public ip will b able to conenct

and also on the VPN client.. u need to have a check on 
Enable Transparent Tunneling 
and the radio button should be selected for IPSEC over UDP (NAT/PAT)

this is under the VPN Profile ur connecting to on the transport tab
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2264331


by default on ASA NAT-T is enabled 
crypto isakmp nat-traversal is the command

I hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎09-08-2011 11:25 PM

Hi Prashant,

I woudl be able to explain you in detail, if you can let me know what are you trying to accomplish on the device and with whihc device are you working with.

Thanks,

Varun

Thanks,
Varun Rao

Go to solution
prashantrecon
Level 1
Level 1
In response to varrao

‎09-08-2011 11:52 PM

Hi varun,

we are using asa 5520 in our environment.I  am  facing a problem ie  able to connect to vpn from outside network to lan but not able to take a remote of lan pc from particular network connection (airtel isp).

But when i try this from other service provider like reliance i am able to take remote.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to prashantrecon

‎09-09-2011 12:33 AM

Hi Prashant,

this is under the VPN Profile ur  connecting to on the transport tab12:30 PM
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp226433112:31 PM
by default on ASA NAT-T is  enabled 12:32 PM
crypto isakmp  nat-traversal is the command

If a remote client is coming from a direct public ip address.. like a publically hosted server, then it connects over the tunnel like the regular tunnel establishes.. over UDP port 500, but if a client comes from behind a NATd ip address.. like airtel ADSL modem.. where u have a priv ip address.. but ISP PATs/NATs it.., then it connects over UDP 500.. but is encapsulated by another header.. the NAt-T header.


and it communicates over UDP 4500...  then on the headend device.. like ASA you need to have NAT-T enabled 

when u have NAT-T enabled.. both NATd clients and clients with public ip will be able to connect

but if u dont then only clients wih public ip will b able to conenct

and also on the VPN client.. u need to have a check on 
Enable Transparent Tunneling 
and the radio button should be selected for IPSEC over UDP (NAT/PAT)

this is under the VPN Profile ur connecting to on the transport tab
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c5.html#wp2264331


by default on ASA NAT-T is enabled 
crypto isakmp nat-traversal is the command

I hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

Go to solution
thanghadurai.shanmughem1
Level 1
Level 1
In response to varrao

‎06-13-2019 10:35 PM

Hi Varrao,

 

In this case, does NAT-T will cause any issues while establishing phase-1 tunnel between the end-clients ? 

 

In my scenario, I could see the Tunnel got established but I do not see any Tx and Rx bytes under the VPN Session. 

 

Thanks in Advance..

0 Helpful

Go to solution
thanghadurai.shanmughem1
Level 1
Level 1
In response to varrao

‎06-13-2019 11:12 PM

Hi Varrao,

 

In this case, does NAT-T will cause any issues while establishing phase-1 tunnel between the end-clients ? 

 

In my scenario, I could see the Tunnel got established but I do not see any Tx and Rx bytes under the VPN Session. 

 

Thanks in Advance..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card