Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
1
Replies

NAT-T over PAT

hanwucisco
Level 1
Level 1

‎06-09-2011 11:15 AM

I think starting from IOS 12.3, NAT-T is automatically enabled. Does it mean you need not do do anyting, it will work when you configure IPSec VPN across PAT? In my case, it doesn't. The VPN IPSec encrypted packet number doesn't increase. When I take off either of the PAT or VPN, the other works.

Any idea?

thanks,

Han

Labels:
0 Helpful
1 Reply 1

Gustavo Medina
Cisco Employee
Cisco Employee

‎06-09-2011 08:46 PM

Yes, It is enabled by default meaning that if after discovering that either side is behind NAT then the ESP packets will get encapsulated into UDP 4500 packets. Is someone in the middle blocking UDP 4500? Are you allowing UDP 4500 on the access-group applied to the outside interface? Does the tunnel get established when negotiating NAT-T? could you attach the "sh crypto ipsec sa"?

--Tavo

0 Helpful
Customers Also Viewed These Support Documents