Re: Cisco ASA NAT-T is global configuration or tunnel based ?

gongya · ‎01-13-2023

We have a remote site which is behind the NAT device. We turned of NAT-Traversal with no crypto isakmp nat-traversal.

Can we enable NAT-T on tunnel base instead of enabling this globally?

Rob Ingram · ‎01-13-2023

@gongya it's globally enabled on the ASA by default. You can disable NAT-T for a peer, example:

crypto map CMAP 10 set nat-t-disable

Ensure you configure this command under the correct sequence number.

Or via ASDM - navigate to Configuration > Site-to-Site VPN > Advanced > Crypto Maps , select your crypto map, click Edit , click the Tunnel Policy (Crypto Map) - Advanced tab, and then uncheck the Enable NAT-T check box.

gongya · ‎01-13-2023

we have this "no crypto isakmp nat-traversal" configured. So this means we have NAT-T disabled globally. Can we enable NAT-T on a specific tunnel ?

thanks so much !!

MHM Cisco World · ‎01-13-2023

enable or disable if the peer is not behind NAT then it have no effect.
so can I ask why you want to disable it ??

gongya · ‎01-13-2023

At the beginning we disabled for some reasons. Right now one remote site requests this, as their VPN device is behind the NAT device. So we need to enable it. Based on the information from Cisco, the existing VPN might be flap when you enable it globally. So we are just wondering whether we can just enable for that specific VPN.

thanks !!

MHM Cisco World · ‎01-13-2023

gongya · ‎01-13-2023

Anyway to enable NAT-T on a specific VPN with this "no crypto isakmp nat-traversal" configured?

thanks !!

Rob Ingram · ‎01-13-2023

@gongya the ASA documentation I've read doesnt explictly state you can enable per peer, only disable. Without testing I am not sure you can explictly enable per peer - the ASA expects nat-t to be enabled globally and disable per peer.

So what you could do is explictly disable nat-t for all other peers (as per the example provided above) and then enable globally to achieve the desired outcome.

MHM Cisco World · ‎01-13-2023

I agree with Mr @Rob Ingram , and hence I will run lab to check how can we config two isakmp profile or policy for IKEv1.
I will update you.

Rob Ingram · ‎01-13-2023

@MHM Cisco World wrote:

I agree with Mr @Rob Ingram , and hence I will run lab to check how can we config two isakmp profile or policy for IKEv1.
I will update you.

@MHM Cisco World isakmp profile? ... @gongya is using an ASA.

gongya · ‎01-14-2023

thanks so much !!

MHM Cisco World · ‎01-13-2023

if so then
config two isakmp profile,
one with enable NAT-T
other with disable NAT-T

gongya · ‎01-13-2023

Can you give an example ? thanks !!

Rob Ingram · ‎01-13-2023

@gongya perhaps try this...

Disable for the peers you wish it to be explictly disabled for. Obviously change the name and sequence numbers to fit your environment.

crypto map CMAP 10 set nat-t-disable
crypto map CMAP 11 set nat-t-disable

Enable globally

crypto isakmp nat-traversal

MHM Cisco World · ‎01-13-2023

as Mr @Rob Ingram mention below,
you can use ONE crypto map with TWO Seq
seq 1 enable NAT-T <<- set peer that need NAT-T
seq 2 disable NAT-T <<- set peer that need no NAT-T

then apply this crypto map to OUT interface