IPsec over NAT-T

Unanswered Question
Aug 24th, 2010

Dear All,

Site to Site VPN tunnel and Anyconnect , IPsec VPN are configured on the ASA-5520 device. Currently IPsec over TCP/UDP on port 10000 is enabled.

I would like to enable IPsec over NAT-T in addition. If I do that what will happen to the existing site to site VPN tunnel, Anyconnect and IPsec VPN.

Will this setting (IPsec over NAT-T) disturb the IPsec VPN using Transparent Tunneling over TCP and UDP??

Whether Site to Site VPN Tunnel will distrub which doesn't have the NAT-T enabled in Crypto Maps

Lookinf forward for your comments

Refer the attachment on page no 7/30 IPsec NAT-T.


Balajirajah P B

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Tue, 08/24/2010 - 09:35


> Will this setting (IPsec over NAT-T) disturb the IPsec VPN using  Transparent Tunneling over TCP and UDP??

As the document says, for Remote Access VPN connections with both NAT-T and IPSec over UDP enabled, if the client is behind a NAT device, then NAT-T is used and if it is not, then IPSed over UDP is used. So, if your client connecting to the ASA is behind a NATing device, only then connections are different.

Regarding Site to Site tunnels, IPSec over TCP/UDP never comes into the picture. So NAT-T (IPSec over UDP 4500) will come into effect if there is a NATing device in the path betweent the 2 VPN peers. Hope this helps.

Let me know if you feel there is something unanswered.

All the best!




This Discussion