what is meaning of nat-traversal command

Unanswered Question
Jun 28th, 2007

Can someone explain me what exactly meaning of nat-traversal command what it does in vpn topology?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Thu, 06/28/2007 - 01:32


If you have a NAT/PAT device between your vpn client and the vpn headend device this can stop the VPN tunnel working because the port numbers get changed.

In order to get around this you can use nat-traversal which needs to be supported on the client end and the headend device. The IPSEC traffic is encapsulated in UDP packets with port 4500. This allows the NAT to modify the packet without breaking the IPSEC tunnel.



ggilbert Thu, 06/28/2007 - 03:26

Adding to Jon's comment, the head end device should automatically detect the receiving connection is through a NAT device or not and then use port 4500 for the handshake.

Unless NAT-T is turned off and at that point, just use IPSec over UDP.

Hope this explains.



pankajp Thu, 06/28/2007 - 09:32

Hi Jon, Gilbert,

I read that there is a security risk in implementing NAT-T. How true is that? Is there something that can be done to reduce the risk?

ggilbert Thu, 06/28/2007 - 11:30

Like what risk?

Where did you read it?

Give me the article where you read about it.



Jon Marshall Thu, 06/28/2007 - 23:02


There are different types of vulnerability

1) Theoretical vulnerabilites ie. in theory it could be done but no one has ever done it.

2) Vulnerabilities where the attacker would need so much access that if they had that access there would be much easier targets to go for.

3) Vulnerabilities which can be exploited without any special access etc.

Together with this you have to balance these vulnerabilities asgainst how likely your company is to be a target.

Reading through your attachment the one i would concentrate on is the use of a group wildcard and pre-shared keys. If you are not already doing it i would strongly recommend you don't use pre-shared keys soley for authentication and use some sort of token based authentication.




This Discussion