08-06-2010 02:50 AM
Can I Know what is NAT-T option, Which all scenarios we should enable this.
08-06-2010 05:37 AM
Hello,
NAT-traversal is needed when a VPN endpoint is behind a nat device of some sort, typically a PAT device. Due to the fact that ESP (encapsulating security payload - essentially the encrypted packet in most VPNs) is IP protocol 50 and doesn't have any TCP port numbers, it's impossible to PAT the ESP packet - so VPNs behind NAT devices will fail.
NAT-T allows both vpn endpoints to figure out that they are behind NAT, and will allow them to encapsulate the ESP packet in a UDP packet (port 4500) so that the NAT devices can then NAT the VPN traffic correctly.
You can read about Cisco nat-t here:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1035673
--Jason
08-06-2010 06:29 AM
Is this only required when the PAT comes into the scene? Is this applicable for both Site to Site as well as Remote VPN?
08-06-2010 08:23 AM
If any NAT is in the scenario, you should turn it on. In general, NAT-T doesn't hurt anything, so having it enabled on all sides shouldn't impact anything. You just need to be aware your traffic is travelling over UDP 4500 and that you'll have to allow that port through any filtering devices (firewalls, etc) as well as ISAKMP and ESP.
--Jason
08-06-2010 08:38 AM
Suppose My VPN Device is ASA, and I have not terminated internet in firewall but the perimiter router and I have /30 between firewall and router. And I put a nat in router for the firewall outside interface. So Basically Natting happen in Router. And VPN termination will happen in Firewall. In this case, do we require NAT-T. Is this applicable for both Site-to-Site as well as Remote VPN??
[VPN DEVICE]<--------->[ROUTER]<------------------------>INTERNET<------------------------>-[VPNDEVICE]
private ip public ip public ip
(I have only router(nat device) in one end)
Regards,
Manu B.
08-06-2010 09:23 AM
Yes, NAT-T applies for both l2l and remote, and if you are natting any of the devices that are doing VPN, it is required.
--Jason
08-06-2010 09:29 AM
You Mean to say, if you are natting the ip of the VPN termination device?? like my scenario posted above (vpndevice(fw) external ip is natted in router )
08-06-2010 09:42 AM
One more Point to be cleared: NAT -T is only requires when PAT is used??
Please confirm the folowing packets:
[l2][ip][esp][transport][data][esp trailer][espauth][l2checksum]-->transport
[l2][new ip][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel
[l2][ip][UDP/TCP][esp][transport][data][esp trailer][espauth][l2checksum]-->transport with NAT-T
[l2][new ip][UDP/TCP][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel with NAT-T
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide