Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2733
Views
5
Helpful
2
Replies

NAT-T affects other VPN tunnels?

huntlee
Level 1
Level 1

‎02-20-2016 03:09 PM

Hi all,

I need to connect site-to-site VPN to a Cisco Meraki device, with my side is a Cisco ASA-X Firewall.

I was told by my client that the only way to establish to connect to their Meraki device is if i turn on "NAT-T NAT traversal" on my Cisco ASA-X

However, the only way i find to enable NAT traversal is to put crypto isakmp nat-traversal 3600 as a global command.

What i am worried is that since my current other site-to-site VPN tunnels on my ASA does not have NAT traversal, by enabling NAT traversal globally at my ASA, is this going to impact their tunnels?

Cheers,

Hunt

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎02-21-2016 01:18 PM

you can disable NAT-T on a per VPN basis.  use the following as an example of how to.

crypto map outside_map 5 set nat-t-disable

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Diego Lopez
Level 1
Level 1

‎02-21-2016 07:40 PM

Hello,

This is not going to impact your other tunnels at all!!!

This NAT-T functionality will allow the ASA to detect devices behind a NAT and will use UDP port 4500 instead of UDP 500.

The current peers that are not behind a nat device will just work as usual with UDP port 500.

If you would like to know more about how NAT-T works you can check this documentation:

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

Regards, please rate!

0 Helpful
Customers Also Viewed These Support Documents