S2S VPN Query from Router to Router

Unanswered Question
Aug 14th, 2010

Hi experts,

I have an issue and i am establishing a S2S VPN between 2 routers with ASA in between them . There is no NAT configuration done on any of the routers however NAT is applied on the ASA .There is "no nat-control " on ASA in addition to the below config , which will turn on the NAT again

nat (inside) 1 0 0

global (outside)1 interface

Also icmp , esp , udp 500 and 4500 is allowed on the ASA outside  interface .The issue is that when i remove the NAT config , S2S tunnel  is established between 2 routers ; however when the above mentioned NAT  is enabled , S2S tunnel is torned down

Topology :

( R1( ASA (Outside- R2 (


R2#ping source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of


Working debugs (without NAT on ASA)

03:06:29: ISAKMP: received ke message (1/1)
03:06:29: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
03:06:29: ISAKMP: Created a peer struct for, peer port 500
03:06:29: ISAKMP: Locking peer struct 0x82E5E04C, IKE refcount 1 for isakmp_initiator
03:06:29: ISAKMP: local port 500, remote port 500
03:06:29: ISAKMP: set new node 0 to QM_IDLE
03:06:29: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8283DAE8
03:06:29: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
03:06:29: ISAKMP: Looking for a matching key for in default : success
03:06:29: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching
03:06:29: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
03:06:29: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
03:06:29: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
03:06:29: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

03:06:29: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
03:06:29: ISAKMP:(0:0:N/A:0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
03:06:29: ISAKMP (0:0): received packet from dport 500 sport 500 Global (I) MM_NO_STATE
03:06:29: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
03:06:29: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2


Non working debugs (NAT on ASA)

02:38:40: ISAKMP: received ke message (1/1)
02:38:40: ISAKMP: set new node 0 to QM_IDLE
02:38:40: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local, remote
02:38:40: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
02:38:40: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
02:38:40: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
02:38:40: ISAKMP:(0:0:N/A:0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
02:38:50: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
02:38:50: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
02:38:50: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
02:38:50: ISAKMP:(0:0:N/A:0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
02:38:55: ISAKMP: quick mode timer expired.
02:38:55: ISAKMP:(0:0:N/A:0):src dst, SA is not authenticated
02:38:55: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

02:38:55: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer
02:38:55: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer
02:38:55: ISAKMP: Unlocking IKE struct 0x8283F5C0 for isadb_mark_sa_deleted(), count 0
02:38:55: ISAKMP: Deleting peer node by peer_reap for 8283F5C0
02:38:55: ISAKMP:(0:0:N/A:0):deleting node -430173282 error FALSE reason "IKE deleted"
02:38:55: ISAKMP:(0:0:N/A:0):deleting node -1682555595 error FALSE reason "IKE deleted"
02:38:55: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
02:38:55: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA


I believe crypto ipsec nat-transparency udp-encapsulation is enabled by default for bypassing the NAT devices in between , Please help me as to if i am missing something over here and guide me to rectify the same

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Sat, 08/14/2010 - 19:40


The NAT rule will force the traffic from inside router to go via Dynamic PAT

process. Please try the following:

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Hope this helps.



Jennifer Halim Sat, 08/14/2010 - 19:42

Hi Ankur,

Base on your topology, if you have the NAT configured, then the IPSec tunnel can only be initiated from R1 because, you would need to have static NAT configured to be able to initiate the VPN tunnel from the outside (R2). NAT is dynamic translation and it's not bidirectional (it's only for outbound connection).

With NAT configured, the peer address for R2 also changes to the ASA outside interface.

Can you advise what is the status of Phase 1 (show cry isa sa), and status of Phase 2 (if there is, show cry ipsec sa).

Lastly, you would also need to enable "inspect ipsec-pass-thru" on the ASA to pass through IPSec tunnel that is associated to the IKE connection:


ankurs2008 Sun, 08/15/2010 - 05:32

Hi halijenn / NT

thanks for looking into this .

In the output of "sh cry isa sa " , i get MM_NO_STATE . i have already tried enabling inspect ipsec-pass-thru  in ASA ; however no success .In addition to that i thought that the traffic from R1 to R2 will be encrypted once it reaches ASA inside (considering i initiate the traffic from R1) , hence there is no requirement of "NAT 0 with ACL " Do i have to do a NONAT between the External IP Addresses of R1 and R2 in the ASA ? Also i can understand that the traffic from R2 to R1 will be initiated only , if i put a static NAT in the ASA ; however can you tell me what static i need to apply ?

I have one more query . In the practical environment where there are 2 organizations / branches who are trying to set up a S2S Tunnel between Routers and they encounter large no. of NATTING devices as the intermediate hops between those 2 routers , do we need to configure NONAT ACL and inspect ipsec-pass-thru in all  those devices ? I dont think so , as thats the reason NAT Traversal is there . Due to this reason , i didnt applied NONAT with ACL . According to my thought process , crypto ipsec nat-transparency udp-encapsulation  in the R1 and R2 will accomplish the same .

Please let me know regarding my query .

Jennifer Halim Sun, 08/15/2010 - 20:58

The NONAT ACL will not be for the actual traffic that you would like to encrypt (ie: it's not for the local and remote subnets), but it would be the router external ip address (vpn termination interface ip address), where you normally define as "set peer" ip address).

If R1 external interface private ip address or public ip address. If R1 is already public ip address, then on the ASA, you just configure NONAT between R1 external ip address to R2 external ip address. However, if R1 is private ip address, then you would need to NAT it (using either static NAT or PAT (nat/global pair) to it is routable on the internet. If R1 is already running on public ip address, there is no need to PAT it again on the ASA hence you would configure NAT exemption (NONAT) on the ASA.

As far as the ASA is concern, it will not see the router local and remote subnets because by the time the traffic gets to the ASA, it would already be encrypted. So on the ASA, it will only see UDP/500 and ESP/UDP/4500.

ankurs2008 Mon, 08/16/2010 - 01:42

hi halijenn

thanks for the reply . If R1 and R2 is running on public ip address, why would we even require to configure NAT exemption (NONAT) in the ASA between R1 and R2 public IP ? i have understood everything except one .In the practical scenario (consider my example above was from a usual lab environment) if there are hundreds of intermediate hops which are L3 and NATTING devices as well ; will we give NONAT on each and every intermediate hop coming in the way ? Isnt it like that we should only be requiring crypto ipsec nat-transparency udp-encapsulation  on R1 and R2 and it should auto detect the NAT devices in between , encapuslate the ESP in UDP packet due to which an administrator should only open the UDP 4500 to let the IPSEC pass through traffic in ?

Jennifer Halim Mon, 08/16/2010 - 03:24

In normal circumstance, out on the Internet, the Internet routers themselves will not be performing any NAT at all. The only place where NAT will be performed is normally at customer's network, or devices which is connecting to the ISP, therefore, internet routers can pass through ESP with no problem.

The reason why you need to configure NONAT on the ASA is because you advise earlier that you have the following configured:

nat (inside) 1 0 0

global (outside) 1 interface

When you have the above configured, if you don't want to NAT traffic from inside outbound, you would need to explicitly configure NAT exemption (NONAT), otherwise, it will get PATed to the ASA outside interface.

Please remember the ASA firewall concept with NATing So even if you have public ip address, the ASA wouldn't understand that concept once you configure the above PAT, unless you explicitly configure NAT exemption to exempt it from being NATed.

Same goes for router, if you have router instead of ASA, and if you configure ACL that determine which traffic needs to be NATed and if the ACL is permit ip any any, anything will be NATed unless you configure exemption to not NAT the traffic.

Hope it makes sense.

ankurs2008 Mon, 08/16/2010 - 13:14

hi halijenn

my issue is not NATTING , i have already understood the concept of NO NAT with ACL and that it is required to be there in ASA from Public of R1 to R2  , my issue is what exactly is the role "crypto ipsec nat-transparency udp-encapsulation " playing over here ? whether it is playing any role or not . If not , whether it is an ideal scenario for the NAT Traversal to play a role over here ?

Jennifer Halim Mon, 08/16/2010 - 14:50

"crypto ipsec nat-transparency udp-encapsulation" definitely plays a role, ie: during the IKE (Phase 1) negotiation, it will detect to see if there is any NAT device in between the path. If it does detect that there is NAT in between, it will negotitate so that the ESP packet (Phase 2) is encapsulated in UDP. By default, it will use UDP/4500.


This Discussion