cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2148
Views
0
Helpful
6
Replies

Cisco ASA 5506X - force NAT-T on L2L connection?

train_wreck
Level 1
Level 1

Is there any way to force the ASA to use NAT-T on a site to site (L2L) VPN connection? Some other vendors offer an option to do this, and I have found on certain ISPs I get much better performance using NAT-T rather than just plain ESP. I have tried "crypto isakmp nat-traversal 10" but that does not force the setting.

6 Replies 6

JP Miranda Z
Cisco Employee
Cisco Employee

Hi train_wreck,

From the ASA perspective you need to actually be behind a nat (a device doing PAT in front of the ASA) or a device at the other site of the tunnel behind a nat, you can take a look to the following link to understand how nat-t works on your ASA:

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

Hope this info helps!!

Rate if helps you!! 

-JP-

Right, so i'll take that as a "no".

train_wreck,

You got it!!!

Hope this info helps!!

Rate if helps you!! 

-JP-

We need this function. "It should just work automatically" in my book is something that rarely works when I need it to.

Trainwreck, look at this option. It works for me, but unfortunately is a debug command and won't survive a reboot:

https://supportforums.cisco.com/discussion/13262991/isp-blocks-ipsec-esp-force-nat-t-asa5500-x

Here's to hoping this is something we can force in the future...

@tpomerhn You think this will be implemented any time soon? The Great (internet) Wall is such a pain for global corporate vpn network 

I truly wish it were, but I'm not on the product team, and many of the development efforts on ASA seem to be focused on compatibility and feature merge into the next-generation firewall (i.e. FirePOWER), so things like this might get missed.

 

I use the solution I posted, just use an EEM script. It's not ideal, granted, but it works for now... sorry I can't help more.