Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4001
Views
7
Helpful
23
Replies

Cisco FMC/FTD site-to-site VPN 'set nat-t disable' LINA configuration

Go to solution
andrew.butterworth
Level 7
Level 7

‎03-04-2024 03:36 AM - edited ‎03-04-2024 03:43 AM

When creating a policy-based VPN on FMC, how do you get the CLI equivalent of what would be configured on an ASA as 'crypto map CSM_outside_map 1 set nat-t disable' to get configured on the FTD?

With ASDM its a tick box in the Advanced, Crypto Map Entry section or from the CLI its 'crypto map <name> 1 set nat-t disable'.

With FMC, there is a tick box for 'Enable NAT Traversal' when editing the local endpoint, but not the remote, however this doesn't translate to applying the same LINA command.

Disabling NAT Keepalive messages in the Advanced Tunnel section, applies the global command 'no crypto isakmp nat-traversal', however this is global and I need to do it on a peer basis.

FMC/FTD 7.2.5

 

Labels:
23 Replies 23

Go to solution
MHM Cisco World
VIP
VIP
In response to andrew.butterworth

‎03-06-2024 10:18 AM

And one you control you can disable NAT-T?

MHM

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7
In response to MHM Cisco World

‎03-06-2024 10:36 AM

I can untick the box to disable NAT-T, however it doesn't change the configuration on the FTD:

andrewbutterworth_0-1709750087725.png

I want to add the line 'set nat-t disable' to the crypto map.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to andrew.butterworth

‎03-06-2024 10:50 AM

؟crypt map CSM_outside_map 1 set nat-t-disable؟

Add "?" in start and end of command 

I found bug and it work around is add "?" 

MHM

 

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7
In response to MHM Cisco World

‎03-06-2024 11:19 AM

I've just tried that and FMC throws an error.  This is the transcript:

andrewbutterworth_0-1709752692611.png

If I try without the ? I get this:

andrewbutterworth_1-1709752745794.png

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to andrew.butterworth

‎03-06-2024 12:31 PM

When you check ftd' are the crypo map have seq 1 or other seq ?

MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to andrew.butterworth

‎03-08-2024 01:32 AM

Of course it will throw an error, because the Lina CLI generated by FMC (or rather CSM running on the box) is not correct: "... set nat-t disable". It should have been "... set nat-t-disable". This is simply a bug.

 

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7
In response to tvotna

‎03-08-2024 01:39 AM

Lol, how did I miss that...  Wood & trees comes to mind.

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7
In response to Pavan Gundu

‎03-06-2024 10:15 AM

Hi Pavan, I tried that and FMC still throws up an error.  I'm guessing missing the 'o' off is an attempt to fool FMC

0 Helpful

Go to solution
Max Jobs
Level 1
Level 1

‎03-05-2024 11:03 PM

Hi Andrew, it seems that the commands being entered are not compatible with FMC. Maybe it's better to contact Cisco support.

Dolphins do not like underwear!

0 Helpful
Customers Also Viewed These Support Documents