Jason Gervia Fri, 08/06/2010 - 05:37


NAT-traversal is needed when a VPN endpoint is behind a nat device of some sort, typically a PAT device.  Due to the fact that ESP (encapsulating security payload - essentially the encrypted packet in most VPNs) is IP protocol 50 and doesn't have any TCP port numbers, it's impossible to PAT the ESP packet - so VPNs behind NAT devices will fail.

NAT-T allows both vpn endpoints to figure out that they are behind NAT, and will allow them to encapsulate the ESP packet in a UDP packet (port 4500) so that the NAT devices can then NAT the VPN traffic correctly.

You can read about Cisco nat-t here:



manuadoor Fri, 08/06/2010 - 06:29

Is this only required when the PAT comes into the scene? Is this applicable for both Site to Site as well as Remote VPN?

Jason Gervia Fri, 08/06/2010 - 08:23

If any NAT is in the scenario, you should turn it on.  In general, NAT-T doesn't hurt anything, so having it enabled on all sides shouldn't impact anything.  You just need to be aware your traffic is travelling over UDP 4500 and that you'll have to allow that port through any filtering devices (firewalls, etc) as well as ISAKMP and ESP.


manuadoor Fri, 08/06/2010 - 08:38

Suppose My VPN Device is ASA, and I have not terminated internet in firewall but the perimiter router and I have /30 between firewall and router. And I put a nat in router for the firewall outside interface. So Basically Natting happen in Router. And VPN termination will happen in Firewall. In this case, do we require NAT-T. Is this applicable for both Site-to-Site as well as Remote VPN??

[VPN DEVICE]<--------->[ROUTER]<------------------------>INTERNET<------------------------>-[VPNDEVICE]

                       private ip               public ip                                                         public ip

(I have only router(nat device) in one end)


Manu B.

Jason Gervia Fri, 08/06/2010 - 09:23

Yes, NAT-T applies for both l2l and remote, and if you are natting any of the devices that are doing VPN, it is required.


manuadoor Fri, 08/06/2010 - 09:29

You Mean to say, if you are natting the ip of the VPN termination device?? like my scenario posted above (vpndevice(fw) external ip is natted in router )

manuadoor Fri, 08/06/2010 - 09:42

One more Point to be cleared: NAT -T is only requires when PAT is used??

Please confirm the folowing packets:

[l2][ip][esp][transport][data][esp trailer][espauth][l2checksum]-->transport

[l2][new ip][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel

[l2][ip][UDP/TCP][esp][transport][data][esp trailer][espauth][l2checksum]-->transport with NAT-T

[l2][new ip][UDP/TCP][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel with NAT-T


This Discussion