When to use NAT-T and how NAT-T is different from UDP port 10000 on a Cisco 3030 VPN Concentrator with software version 4.1

Document

Wed, 07/22/2009 - 19:54
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Resolution

Network Address Translation-Traversal (NAT-T) is mentioned in Internet Engineering Task Force (IETF) RFC 3193, whereas User Datagram Protocol (UDP) 10000 is a Cisco-developed method that provides a workaround for the Port Address Translation (PAT) problem. Cisco CVPN 3000 supports both NAT-T and UDP 10000.

IPSec NAT-T allows IPSec peers to establish a LAN-to-LAN connection through a NAT device. NAT-T encapsulates IPSec traffic in UDP datagrams, through port 4500, and provides NAT devices with port information. NAT-T automatically detects any NAT devices, and only encapsulates IPSec traffic when necessary.

IPSec over UDP allows multiple clients to establish simultaneous tunnels to the concentrator through a NAT or PAT device. IPSec over TCP enables a VPN client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with a modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices, and firewalls.

The VPN 3000 Concentrator can simultaneously support standard IPSec, IPSec over TCP, and IPSec over UDP, based on the client with which it exchanges data.

Note: When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.

Loading.

Actions

This Document

Related Content