IPsec between two Router through ASA

Unanswered Question
Mar 27th, 2007
User Badges:


I'm running IOS 12.4(3a) on my router 2821. The router is doing NAT for certain IPs and acting as VPN L2L termination point. My network setup as follow:

My Router ------ ASA ------- Internet Router ------ Peer Router


The same interface on the router used for NAT and IPsec termination.

Actually the IPsec traffic passed all the way through the ASA firewall to the internet router finally to the destination Peer router. I?ve noticed that I have to enable NAT-T on ASA to bring the IPsec tunnel up and running, I did it and it?s up.

But now my router negotiates the ISAKMP SA on port 4500 because of NAT-T and the peer router responds back on port 500, it?s a mess, for every 100 ICMP sent packets I got almost 15 ? 20 dropped packets which it is unacceptable behavior at all.

I need to know the possibility to have a workaround to avoid NAT-T or configuring QOS.

Appreciate any useful assistance..


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cairnsm Thu, 03/29/2007 - 13:10
User Badges:

A couple of things:

1 You can disable nat-t on the router with no crypto ipsec nat-traversal udp-encap.

2. IPSec can traverse a NAT as ESP protocol 50 as long as it is a one to one translation.



balsheikh Fri, 03/30/2007 - 05:50
User Badges:

Hi Mark,

NAT-T implemented on the ASA not on the VPN router to permit the IPsec tunnel to be established through it.

I'm totally agree with u on point 2 but once I disabled the NAT-T on the ASA I can't initiate the VPN connection from my side (the remote side should initiate the connection to bring the tunnel up). something strange!!



cairnsm Fri, 03/30/2007 - 06:56
User Badges:


NAT-T on the ASA should only be needed for clients terminating a VPN tunnel on the ASA from behind a NAT device outside (like a home Linksys router). Do you have a static one to one NAT on the ASA to translate your inside router to an outside address or does the router fall into a nat pool that translates to a global outside address?


balsheikh Sat, 03/31/2007 - 05:48
User Badges:

Hi Mark,

okay.. but is there any explanation why once NAT-T disabled on ASA the Ipsec tunnel between routers goes down !!

actaully I have multiple static translations with a VPN clients configured on the ASA.




This Discussion