NAT-T for IPsec tunnels between an ASA and clients.

Unanswered Question
Feb 9th, 2009
User Badges:


I have to replace a VPN3000 platform, which is using a global ip address to terminate multiple IPsec tunnels to remote Internet stations using Cisco VPN clients, with a new ASA5500 IPsec VPN.

The problem is that as part of this upgrade, the new ASA5500 must be assigned with private ip addresses (RFC1918), which means that there will be a device doing NAT somewhere in between.

According with the documentation, to establish IPSec peers through the NAT device is possible by enabling NAT-T in the ASA. Am I right ? Should I observe any additional precaution ?

Kind regards.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/09/2009 - 09:54
User Badges:
  • Cisco Employee,

That would be the only thing you need on your ASA, however make sure that you have the needed ports opened on the NATing device udp 500, 4500 and ESP protocol


This Discussion