Solved: About NAT-T and ICMP

ciscolover · ‎07-26-2017

Hi all,

I have 2 doubts:

1)About NAT-T:

I have create an IP SEC tunnel like this (look at the diagram). http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

Is an easy tunnel but there is a think that I can't understand. Router A and Router B makes NAT translations. ¿This is a NAT-T IPsec tunnel? The traffic between 10.1.1.0 and 172.16.0.2 works well but I have not include any command like "crypto isakmp nat-traversal".

2)ABOUT ICMP

I can Ping any host from Router A to the LAN network of router B and I can ping any host from Router B to the LAN network of router A.

But I can't ping Router A from Router B and I can't ping Router B from router A (I have tryed using the command "source IP). ¿Why I can't ping the LAN router interfaces from the other side?

Thanks for your help.

Spooster IT Services · ‎07-27-2017

NAT-T is enable by default. You don't need to enable it.

Regarding ICMP, It should match by the ACL. Are you trying this is on real devices or just testing at software like GNS, Packet Tracer etc.?

Spooster IT Services Team

View solution in original post

Spooster IT Services · ‎07-26-2017

Hi,

1) NAT-T

To understand NAT-T. Let take the following example,

In this example, the initiator’s IP address, 192.179.100.50, which has been dynamically assigned to the device, is hidden by the NAT device and translated to 100.10.1.253.

Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets. After detecting one or more NAT devices along the datapath during Phase 1 exchanges, NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port.

2) ABOUT ICMP

What are the IP's at your Router A and Router B (which you are using as a source IP) from which you are trying to ping and what is the VPN intreasted traffic? Can you post the configuration of both routers if possible?

Spooster IT Services Team

ciscolover · ‎07-27-2017

Thanks,

In my configuration (like the link http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html ) I have the port 4500... It uses NAT-T...

But I don't understand why it works with any command like "isakmp nat-traversal". ¿Is not necesary this command?

My conf is exactly like the link. The ICMP not works between 10.1.1.2 and 172.16.2.1. But it works between 10.1.1.2 and 172.16.2.2, for example(a remote host). Is a traffic matched by the ACL.

Thanks ¡¡

Spooster IT Services · ‎07-27-2017

NAT-T is enable by default. You don't need to enable it.

Regarding ICMP, It should match by the ACL. Are you trying this is on real devices or just testing at software like GNS, Packet Tracer etc.?

Spooster IT Services Team

ciscolover · ‎07-28-2017

Thanks ¡¡

ICMP it works now. Maybe I have confused the destination IP or similar...

Spooster IT Services · ‎07-28-2017

Glad to hear...

Spooster IT Services Team