Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
10
Helpful
3
Replies

NAT-Travesal

shivaram840
Level 1
Level 1

‎02-16-2017 07:39 AM - edited ‎03-05-2019 08:02 AM

I want to understand what is the use of NAT-T ?

i have gone through many documents but still confusing me.

we have a site to site vpns between two ASA firewalls , so i have disabled NAT-T on asa firewall but still both sites are communication each other ?

i believe ipsec will not work behind the nat device until use the NAT-T then how it is pining even disabled the NAT-T ???

Thanks,

Shiva

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎02-16-2017 09:06 AM

Hello Shiva,

IPsec encrypts both data and TCP header. It also encrypts IP header if tunnel mode is used. If you check the packets with Wireshark, you see only layer 3 and ESP or AH as layer 4 so it means there is no layer 4(no ports).

There would be an issue when IPsec is going through a device which is doing PAT(overload NAT). PAT uses TCP or UDP port in order to identify the return traffic and replace the public IP with a correct private IP as packets return; however, there is no port in the encrypted packet.

The solution is NAT-traverse. Nat-traverse encapsulates packets in UDP headers with port 4500 so there will be no problem with PAT anymore.

I hope it is clear.

Masoud

shivaram840
Level 1
Level 1

‎02-17-2017 07:02 AM

Thanks masoud , you made me happy with your post and answer 

but after disabling the NAT-T on ASA firewall still able to ping Destination IPs ?

tunnel is there between ASA to ASA firewall and disabled NAT-T on one firewall though able to ping both sides 

Thanks,

Shiva

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to shivaram840

‎02-17-2017 07:21 AM

You do not need to enable NAT traverse between two ASAs. Is there any device between two ASAs doing PAT?

NAT-traverse is used in the following scenario. Usually remote access VPN, not site-to-site.

Client(remote IPsec client)-----------router or a device(PAT)----internet----VPN server.

That device(PAT) causes problem because it does not see any ports to use for PAT.

You enable NAT-traverse on client. Client encapsulates the encrypted packets in UDP headers with port 4500. Now device(PAT)  can use that port.

Hope it is clear now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card