cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
0
Helpful
1
Replies

IPSEC-ESP-NAT

Ratheesh mv
Level 1
Level 1

HI all,

 

 

 

I have disabled NAT-T on both VPN GWs and configured PAT on IR-GW. As per my understanding PAT can work only if NAT-T supported. However PATing is happening  though NAT-T is disabled.

 

Could anyone explain that how it works ?I saw protocol ESP in the NAT translation table so I checked SPI  which is bond along with ESP (Wireshark) but it was different than A6E39B (NAT table entry)

 

IR-GW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
esp 12.0.0.1:0 11.0.0.1:A6E39B 12.0.0.2:0 12.0.0.2:0
esp 12.0.0.1:0 11.0.0.1:0 12.0.0.2:0 12.0.0.2:21B97BFC

 

NAT configuration:-

 

IR-GW

#sh running-config | include nat
ip nat inside
ip nat outside
ip nat inside source list NAT interface Ethernet0/1 overload

sh ip access-lists NAT
Extended IP access list NAT
10 permit ip any any (11 matches)

 

ESP has been used as protocol.

 

Thanks

ipsec topology.PNG

1 Reply 1

tunnel is happy because the Port ESP UDP 500 is available, this how PAT work 
PAT search for port if it available then the PAT will translation the IP and keep port same
if the port is not available then the PAT will select one from free UDP port...<- here issue come.

also keep in mind if PAT not config and that if you use pre-shared key with address 0.0.0.0 it can work but if there are many tunnel different pre-shared key then there is a chance that the IPSec failed.