cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2129
Views
0
Helpful
7
Replies

NAT -T

manuadoor
Level 1
Level 1

Can I Know what is NAT-T option, Which all scenarios we should enable this.

7 Replies 7

Jason Gervia
Cisco Employee
Cisco Employee

Hello,

NAT-traversal is needed when a VPN endpoint is behind a nat device of some sort, typically a PAT device.  Due to the fact that ESP (encapsulating security payload - essentially the encrypted packet in most VPNs) is IP protocol 50 and doesn't have any TCP port numbers, it's impossible to PAT the ESP packet - so VPNs behind NAT devices will fail.


NAT-T allows both vpn endpoints to figure out that they are behind NAT, and will allow them to encapsulate the ESP packet in a UDP packet (port 4500) so that the NAT devices can then NAT the VPN traffic correctly.

You can read about Cisco nat-t here:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1035673

--Jason

Is this only required when the PAT comes into the scene? Is this applicable for both Site to Site as well as Remote VPN?

If any NAT is in the scenario, you should turn it on.  In general, NAT-T doesn't hurt anything, so having it enabled on all sides shouldn't impact anything.  You just need to be aware your traffic is travelling over UDP 4500 and that you'll have to allow that port through any filtering devices (firewalls, etc) as well as ISAKMP and ESP.

--Jason

Suppose My VPN Device is ASA, and I have not terminated internet in firewall but the perimiter router and I have /30 between firewall and router. And I put a nat in router for the firewall outside interface. So Basically Natting happen in Router. And VPN termination will happen in Firewall. In this case, do we require NAT-T. Is this applicable for both Site-to-Site as well as Remote VPN??

[VPN DEVICE]<--------->[ROUTER]<------------------------>INTERNET<------------------------>-[VPNDEVICE]

                       private ip               public ip                                                         public ip

(I have only router(nat device) in one end)

Regards,

Manu B.

Yes, NAT-T applies for both l2l and remote, and if you are natting any of the devices that are doing VPN, it is required.

--Jason

You Mean to say, if you are natting the ip of the VPN termination device?? like my scenario posted above (vpndevice(fw) external ip is natted in router )

One more Point to be cleared: NAT -T is only requires when PAT is used??

Please confirm the folowing packets:


[l2][ip][esp][transport][data][esp trailer][espauth][l2checksum]-->transport

[l2][new ip][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel

[l2][ip][UDP/TCP][esp][transport][data][esp trailer][espauth][l2checksum]-->transport with NAT-T

[l2][new ip][UDP/TCP][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel with NAT-T

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: