Solved: Cisco FMC/FTD site-to-site VPN 'set nat-t disable' LINA configuration

andrew.butterworth · ‎03-04-2024

When creating a policy-based VPN on FMC, how do you get the CLI equivalent of what would be configured on an ASA as 'crypto map CSM_outside_map 1 set nat-t disable' to get configured on the FTD?

With ASDM its a tick box in the Advanced, Crypto Map Entry section or from the CLI its 'crypto map <name> 1 set nat-t disable'.

With FMC, there is a tick box for 'Enable NAT Traversal' when editing the local endpoint, but not the remote, however this doesn't translate to applying the same LINA command.

Disabling NAT Keepalive messages in the Advanced Tunnel section, applies the global command 'no crypto isakmp nat-traversal', however this is global and I need to do it on a peer basis.

FMC/FTD 7.2.5

tvotna · ‎03-08-2024

Of course it will throw an error, because the Lina CLI generated by FMC (or rather CSM running on the box) is not correct: "... set nat-t disable". It should have been "... set nat-t-disable". This is simply a bug.

View solution in original post

Max Jobs · ‎03-04-2024

Hi buddy, this is what i found over other's topics:

To achieve the equivalent of 'crypto map CSM_outside_map 1 set nat-t disable' on an ASA within FMC/FTD, you'll need to use FlexConfig. FlexConfig lets you apply CLI configurations directly onto FTD devices managed by FMC.

Here's how:

Log in to your FMC.
Go to Devices > FlexConfig > FlexConfig Objects.
Click 'Create FlexConfig Object'.
Name the object, specify the device type (FTD), and enter the CLI command: crypto map <name> 1 set nat-t disable (Replace <name> with your crypto map's name.)
Save the object.

Now, apply this FlexConfig object to your FTD device:

Go to Devices > Device Management.
Select your device.
Visit the FlexConfig tab.
Click 'Attach Policy'.
Choose the FlexConfig object you created and click 'Attach'.

Once attached, the FlexConfig will be deployed to the FTD device, achieving the equivalent of 'crypto map CSM_outside_map 1 set nat-t disable'.

andrew.butterworth · ‎03-04-2024

Tried that and get 'Error - Unsupported CLI'

Max Jobs · ‎03-04-2024

If you're encountering an "Error - Unsupported CLI" message when trying to apply the FlexConfig, it indicates that the CLI command you're attempting to use may not be supported or compatible with the FTD device or the version of FMC/FTD you are using.

In such cases, it's essential to verify the compatibility of the CLI command with your FTD device and the version of FMC/FTD you're using. Additionally, you may need to adjust your approach to achieve the desired configuration.

Here are some steps you can take to troubleshoot and potentially resolve the issue:

Check Device Compatibility: Ensure that the CLI command you're trying to apply is compatible with the FTD device model and software version you're using. Sometimes certain commands might not be supported across different hardware platforms or software versions.
Review Documentation: Consult the official documentation provided by Cisco for your specific FTD device model and software version. The documentation should outline the supported CLI commands and configuration methods.
Update Software: If you're running an older version of FMC/FTD, consider updating to the latest version. Newer software releases often include support for additional CLI commands and features.
Alternative Configuration: If the specific CLI command you're trying to apply is not supported, consider alternative methods or workarounds to achieve the desired configuration outcome.
Reach Out to Support: If you're unable to resolve the issue on your own, consider reaching out to Cisco support for assistance. They can provide guidance and troubleshooting steps specific to your environment and configuration requirements.

By following these steps, you should be able to identify the cause of the "Unsupported CLI" error and take appropriate action to address it.

andrew.butterworth · ‎03-04-2024

I'm guessing Moein Ascari is AI - and its super annoying....

Dolphin chicken underpants

Max Jobs · ‎03-04-2024

Sure I am a AI

andrew.butterworth · ‎03-04-2024

Thought so

MHM Cisco World · ‎03-04-2024

I think this feature if disable in one side it will not work, so no need to disable in both Peer (both FW mgmt by one FMC)

MHM

Rob Ingram · ‎03-04-2024

@andrew.butterworth try this (change the sequence number if required):-

?crypt map CSM_outside_map 1 set nat-t-disable?

https://bst.cisco.com/bugsearch/bug/CSCvh87734?rfs=qvlogin

andrew.butterworth · ‎03-04-2024

Hi Rob, Sorry that doesn't work either. FMC just spits out an error when deploying

MHM Cisco World · ‎03-05-2024

I will test with asa enable one side NAT-T and disable it in other side.

Update you tonight

MHM

Pavan Gundu · ‎03-06-2024

Can you check if the sequence number is still the same? Deployment could error out if we are trying to disable NAT-T for non-existent sequence number.

Pavan Gundu · ‎03-06-2024

I was able to get the deployment through using this flexconfig.

crypt map CSM_outside_map 1 set nat-t-disable

Need to ask the team to update the bug as well, and that's for tomorrow morning.

MHM Cisco World · ‎03-06-2024

As I understand for his reply

He have Fmc control both peer

One peer he can disable NAT-T via GUI and other peer can not do that

And as I mentioned he don't need both ends to disable NAT-T he can do that in one peer.

Correct me if I am wrong

MHM

andrew.butterworth · ‎03-06-2024

FMC is only controlling one peer - the other is 'Extranet'