nat traversal

donnie · ‎09-16-2009

Hi all.

My company has 2 sites each configured with cisco asa5510 with vpn. Originally site A firewall is configured with only ipsec passthrough while site B is configured with both ipsec passthrough and nat traversal. Users at site B could vpn into site A but unable to access any resources at A. However from my home, i could vpn into site A and access network resources within site A. I then added nat-traversal to site A firewall to resolve the problem. Why is this so? Can someone also explain the difference between nat traversal and ipsec passthru? Thks in advance.

JORGE RODRIGUEZ · ‎09-16-2009

ipsec pass-throgh and NAT-T two different things - same family but diferent purposes, separate them to not get confused.

Ipsec-pass-through beside (inspection engine - which is another topic) it opens up Ipsec VPN ports, in earlier PIX versions 6.x or bellow you had to open up specific ipsec ports by access list instead so that your inside users could vpn outbound to other vpn gateways. In ASA 7.x above you no longer need to do acls to accomplish this, inspect ipsec-pass-through does it.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168

As for enabling nat-t, short answer simply allows the PIX/ASA or IOS UDP 4500 the detection of NAT devices between them and allow futher negotiating UDP encap ipsec packets.

Coun't explain it better here - to get the picture read this entire link - See number 4 ( the problem ) http://www.ittc.ku.edu/~kpm/ipsec_udp_encap/

Couple of other references - Read the RFC3947 and RFC3948

http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/rfc3947.txt

http://www.unix-ag.uni-kl.de/~massar/vpnc/docs/rfc3948.txt

Jorge Rodriguez