Re: We need this function. "It

train_wreck · ‎12-19-2016

Is there any way to force the ASA to use NAT-T on a site to site (L2L) VPN connection? Some other vendors offer an option to do this, and I have found on certain ISPs I get much better performance using NAT-T rather than just plain ESP. I have tried "crypto isakmp nat-traversal 10" but that does not force the setting.

JP Miranda Z · ‎12-19-2016

Hi train_wreck,

From the ASA perspective you need to actually be behind a nat (a device doing PAT in front of the ASA) or a device at the other site of the tunnel behind a nat, you can take a look to the following link to understand how nat-t works on your ASA:

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

Hope this info helps!!

Rate if helps you!!

-JP-

train_wreck · ‎12-21-2016

Right, so i'll take that as a "no".

JP Miranda Z · ‎12-22-2016

train_wreck,

You got it!!!

Hope this info helps!!

Rate if helps you!!

-JP-

tpomerhn · ‎07-07-2017

We need this function. "It should just work automatically" in my book is something that rarely works when I need it to.

Trainwreck, look at this option. It works for me, but unfortunately is a debug command and won't survive a reboot:

https://supportforums.cisco.com/discussion/13262991/isp-blocks-ipsec-esp-force-nat-t-asa5500-x

Here's to hoping this is something we can force in the future...

jacobhoegh · ‎11-07-2017

@tpomerhn You think this will be implemented any time soon? The Great (internet) Wall is such a pain for global corporate vpn network

tpomerhn · ‎11-12-2017

I truly wish it were, but I'm not on the product team, and many of the development efforts on ASA seem to be focused on compatibility and feature merge into the next-generation firewall (i.e. FirePOWER), so things like this might get missed.

I use the solution I posted, just use an EEM script. It's not ideal, granted, but it works for now... sorry I can't help more.

Cisco ASA 5506X - force NAT-T on L2L connection?