Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
5
Helpful
5
Replies

Need to set NAT Traversal with 1:1 NAT?

kay.kang
Level 1
Level 1

‎04-01-2022 08:24 AM

Hi,

I am trying to use 1:1 Static NAT on NAT enabled device.

There is a firewall behind the NAT enabled device, which will have IPSec setup.

Do I need to set up NAT-T(Traversal) on the firewall in this case using 1:1 Static NAT??

As far as I understand, NAT-T needs to be set when use PAT(Dynamic Port Address Translation).

 

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎04-01-2022 08:47 AM

@kay.kang NAT-T needs to be enabled on both ends, it should be enabled as default. Both devices will attempt to discover if NAT is used and if so, NAT-T will ensure the packets are encapsulated using UDP/4500 instead of ESP.

0 Helpful

kay.kang
Level 1
Level 1
In response to Rob Ingram

‎04-01-2022 05:13 PM - edited ‎04-01-2022 05:14 PM

Hi Rob,

 

do you mean NAT-T should also be enabled with the case of using 1:1 Static NAT, which will map the dedicate IP address to the firewall’s private IP address from NAT pool.

I understand NAT-T should be enabled with the case of using PAT, which will translate port number because ESP doesn’t have transport layer encapsulation.

Do we have to care about port translation if we use 1:1 Static NAT using NAT pool?

0 Helpful

MHM Cisco World
VIP
VIP

‎04-01-2022 11:36 AM - edited ‎04-01-2022 03:13 PM

Asa1-nat-internet-asa2

 

If you config peer in asa2 as nat ip of asa1 then you must config static 1:1 PAT 

"This PAT open port for esp and 4500"
NAT-T Must enable
simply NAT-T match the identity of ASA1 with the IP source header in IPSec packet.
if not match the IPSec failed. 

0 Helpful

kay.kang
Level 1
Level 1
In response to MHM Cisco World

‎04-01-2022 05:19 PM

Hi,

 

I am not talking about Static PAT.

I also know NAT-T should be enabled with the case of using PAT because ESP packet doesn’t have transport layer encapsulation.

As reason why want to use 1:1 Static NAT, I don’t want to set static port map.

My question was about the case of using 1:1 Static NAT.

MHM Cisco World
VIP
VIP
In response to kay.kang

‎04-02-2022 01:46 AM - edited ‎04-03-2022 08:33 AM

even if you use static NAT you
need NAT-T

ASA1-NAT-Internet-ASA2

ASA2 receive the IPSec packet with the IP address "mapped not real" as source of these packets
ASA2 then validate the ID of ASA1 which is "real" IP address
it will check IPSec Header IP and ID with your config 

if the NAT-T is disable this check is failed 

if the NAT-T is enable this check is success 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card