NAT-T affects other VPN tunnels?

huntlee · ‎02-20-2016

Hi all,

I need to connect site-to-site VPN to a Cisco Meraki device, with my side is a Cisco ASA-X Firewall.

I was told by my client that the only way to establish to connect to their Meraki device is if i turn on "NAT-T NAT traversal" on my Cisco ASA-X

However, the only way i find to enable NAT traversal is to put crypto isakmp nat-traversal 3600 as a global command.

What i am worried is that since my current other site-to-site VPN tunnels on my ASA does not have NAT traversal, by enabling NAT traversal globally at my ASA, is this going to impact their tunnels?

Cheers,

Hunt

Marius Gunnerud · ‎02-21-2016

you can disable NAT-T on a per VPN basis. use the following as an example of how to.

crypto map outside_map 5 set nat-t-disable

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Diego Lopez · ‎02-21-2016

Hello,

This is not going to impact your other tunnels at all!!!

This NAT-T functionality will allow the ASA to detect devices behind a NAT and will use UDP port 4500 instead of UDP 500.

The current peers that are not behind a nat device will just work as usual with UDP port 500.

If you would like to know more about how NAT-T works you can check this documentation:

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

Regards, please rate!