Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
10
Replies

VPN via NAT

Go to solution
gongya
Level 1
Level 1

‎01-14-2023 08:54 PM

I have the following topology

CiscoASA-NAT-T.PNG

with NAT-T disabled on Cisco ASA (no crypto isakmp nat-traversal 20), I got the following

CiscoASA-NAT-T-Capture-1.PNG

I thought the VPN should fail. What did I miss here ?

thanks a lot !!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to gongya

‎01-15-2023 07:18 AM

@gongya with NAT-T disabled on either device, a VPN can be established when using Static NAT.

If using PAT this is when you need NAT-T on both devices, as ESP does not have ports to be translated.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to gongya

‎01-15-2023 08:55 AM

You are so so welcome 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎01-15-2023 02:45 AM

I dont get what you ask here ?

0 Helpful

Go to solution
gongya
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2023 06:26 AM

Sorry.  What I like to ask is

1. NAT-T must be enabled on both ends to bring VPN up? 

2. The test above only has NAT-T enabled on the remote peer, ASA has NAT-T disabled globally. The VPN is up.

3. It might be relate to that NAT I configured. The NAT above is static NAT.

I will try PAT to see whether VPN requires NAT-T enabled on both ends.

thanks so much !!

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gongya

‎01-15-2023 07:18 AM

@gongya with NAT-T disabled on either device, a VPN can be established when using Static NAT.

If using PAT this is when you need NAT-T on both devices, as ESP does not have ports to be translated.

0 Helpful

Go to solution
gongya
Level 1
Level 1
In response to Rob Ingram

‎01-15-2023 08:39 AM

thanks a lot !   Clear now.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to gongya

‎01-15-2023 07:42 AM

I think you misconfig the peer in crypto map, 
the static NAT work if you disable NAT-T. 

0 Helpful

Go to solution
gongya
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2023 08:40 AM

thanks a lot !!  clear now !!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to gongya

‎01-15-2023 08:55 AM

You are so so welcome 

0 Helpful

Go to solution
gongya
Level 1
Level 1
In response to MHM Cisco World

‎01-15-2023 10:22 AM - edited ‎01-15-2023 10:31 AM

One more question to bother.

CiscoASA-NAT-T-options.PNG

crypto isakmp nat-traversal 20

Does this command achieve both option 1 and option 2? or there are separate commands for either option ?

thanks so much !!

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gongya

‎01-15-2023 11:01 AM

@gongya I've never used it, but it seems to be related to IKEv1 remote access VPN connections.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-groups.html?bookSearch=true

It's uses a different command to NAT-T to configure. To enable IPsec over UDP, configure the ipsec-udp command with the enable keyword in group-policy configuration mode, as follows:

hostname(config-group-policy)# ipsec-udp  {enable  | disable }
hostname(config-group-policy)# no ipsec-udp

 

 

0 Helpful

Go to solution
gongya
Level 1
Level 1
In response to Rob Ingram

‎01-15-2023 11:04 AM

thanks so much !!

0 Helpful
Customers Also Viewed These Support Documents