cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

About NAT-T and ICMP

ciscolover
Beginner
Beginner

Hi all,

I have 2 doubts: 

1)About NAT-T:

I have create an IP SEC tunnel like this (look at the diagram). http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

Is an easy tunnel but there is a think that I can't understand. Router A and Router B makes NAT translations. ¿This is a NAT-T IPsec tunnel? The traffic between 10.1.1.0 and 172.16.0.2 works well but I have not include any command like "crypto isakmp nat-traversal".

2)ABOUT ICMP

I can Ping any host from Router A to the LAN network of router B and I can ping any host from Router B to the LAN network of router A.

But I can't ping Router A from Router B and I can't ping Router B from router A (I have tryed using the command "source IP). ¿Why I can't ping the LAN router interfaces from the other side?

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

NAT-T is enable by default. You don't need to enable it.

Regarding ICMP, It should match by the ACL. Are you trying this is on real devices or just testing at software like GNS, Packet Tracer etc.?

Sr Network Engineer
Freelancer

View solution in original post

5 REPLIES 5

Spooster IT Services
Rising star
Rising star

Hi,

1) NAT-T

To understand NAT-T. Let take the following example,

In this example, the initiator’s IP address, 192.179.100.50, which has been dynamically assigned to the device, is hidden by the NAT device and translated to 100.10.1.253.

NAT-T with Dynamic Endpoint VPN

Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets. After detecting one or more NAT devices along the datapath during Phase 1 exchanges, NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port.

2) ABOUT ICMP

What are the IP's at your Router A and Router  B (which you are using as a source IP) from which you are trying to ping and what is the VPN intreasted traffic? Can you post the configuration of both routers if possible?

Sr Network Engineer
Freelancer

Thanks,

In my configuration (like the link http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html ) I have the port 4500...  It uses NAT-T...

But I don't understand why it works with any command like "isakmp nat-traversal". ¿Is not necesary this command?

My conf is exactly like the link. The ICMP not works between 10.1.1.2 and 172.16.2.1. But it works between 10.1.1.2 and 172.16.2.2, for example(a remote host). Is a traffic matched by the ACL.

Thanks ¡¡

NAT-T is enable by default. You don't need to enable it.

Regarding ICMP, It should match by the ACL. Are you trying this is on real devices or just testing at software like GNS, Packet Tracer etc.?

Sr Network Engineer
Freelancer

Thanks ¡¡

ICMP it works now. Maybe I have confused the destination IP or similar...

Glad to hear...

Sr Network Engineer
Freelancer
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: