need to disable ipsec nat-t on router

Unanswered Question
Mar 11th, 2009
User Badges:


I will need to run ipsec in esp, what is the command to disable nat-t on a router? I have tried "no crypto ipsec nat-transparency udp-encaps" but still see packets in udp 4500.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 03/11/2009 - 11:51
User Badges:
  • Cisco Employee,

That command disables it, however it disables the fact that the router will reply back on udp 4500, if the remote party (peer or client) has this feature enabled and nat is found on the path then it will still receive those packets.

yuhuiyao Wed, 03/11/2009 - 13:27
User Badges:

Thanks for your reply. I have both sides configured with "no crypto ipsec nat-transparency udp-encaps". Still seeing UDP 4500. There are two nat deivces in the path.

Ivan Martinon Wed, 03/11/2009 - 13:29
User Badges:
  • Cisco Employee,

This command disables the feature, please get the output of the show crypto ipsec sa and the debug cry isakmp.

l.tating Tue, 01/26/2010 - 19:48
User Badges:

Hi yuhuiyao,

I have similar intentions in my network. but when I tried in lab testing i still get IPSec packet encrypted and tunnel built up even i disabled ipsec nat-transparency on both routers. I tried to use different router model and still get IPSec packet encrypted. You can see my scenario in this simple network diagram:

Note: my ios 12.2 does not have nat-t support yet

Test 1:

R7(ios 12.2)--------------------(R3-nat device)-----------------------R8(ios 12.2)      Result: IPSec tunnel is established

Test 2: (typed no crypto ipsec nat-transparency udp-encaps on both IPSec ends)

R1(ios 12.4)--------------------(R7-nat device)-----------------------R3(ios 12.4)      Result: IPSec tunnel is established

Have you solved your problem already since March 2009?



Ivan Martinon Wed, 01/27/2010 - 07:20
User Badges:
  • Cisco Employee,

Hi Lorenz,

By tunnel established you mean IPSEC ESP tunnel or IPSEC NAT-T UDP 4500 tunnel?

l.tating Wed, 01/27/2010 - 18:31
User Badges:

Hi Ivan,

It is the IPSec ESP tunnel. I tried issuing the command "no crypto ipsec nat-transparency udp-encaps"
and "no crypto ipsec nat-transparency spi-matching" on both VPN endpoints.

I noticed however, that when the NAT device is changed to PAT, then the NAT-T feature begin to take part.

Is the NAT-T limited by PAT (interface overload) only?


l.tating Wed, 01/27/2010 - 22:49
User Badges:

Hi Ivan,

In my testing here are my findings:

Given the diagram:

R1(ipsec endpoint)(g0/0)--------------------R7(nat device)----------------------------R3(ipsec endpoint)

R7 translates R1's g0/0 IP address

1. Static NAT - dont care (this means when NAT-T is on, packet is udp-encapsulated, if not, then usual encaps)
2. Static PAT (overload) - working (means NAT-T must be configured on both tunnel endpoints for udp-encaps)
3. Dynamic NAT - not working (no tunnel. IKE Phase 1 fails negotiation)(see debug outputs)

Could you do a similar test on your end so we can prove this scenario?




This Discussion