Cisco Support Community
Community Member

ESP though pat

i have site to site tunnel between a router (IOS 12.4) and ASA (8.0(3)).

the tunnel is passing a router which is doing patting .

i thought the tunnel was running by nat traversal over udp 4500 by default, but that was not correct.

but when i monitored the translation table over the pat router i found esp traffic is being translated with a strange port number, how that is possible since the esp packet has no port and as i know it should not work with pat without a layer 4 header.


Community Member

Re: ESP though pat


in the newer ios and on the asa by default nat-t is enabled by default unless u have disabled.

have u checked the ports are they in the udp port range of 10000. cisco implementation supports either the legacy nat-t on the 4500 or the cisco udp 10000.

on some ios i have also noticed when u enable nat on the iso routers. it enabled spi-based nat. where it differtiates the esp traffic on the base of the spi negotiated in the ipsec phase 2.

i am think the strange numbers which u are seeing on the router are the spi numbers.

u can check the spi numbers in the ipsec sa and verify them.

check it and let u know. will surely try to help u out.



Community Member

Re: ESP though pat

Hi Sushil

thanks for your reply, and yes indeed the numbers which i found in the nat table are the SPIs, even i don't have nat-t or nat over tcp/udp enabled .

do you know what is that feature called, and is it a standard and supported by all 12.4 IOS releases.


Community Member

Re: ESP though pat


i am glad my post was of little help to you.

see the spi based nat is not dependant on nat-t. it;s a cisco feature and not a standard.

by default after 12.3T ios when u enable pat on ios router. and when it sees esp traffic it by default starts spi based nat for esp traffic.

in 12.2T ios this feature had to be enabled manually.

u are working on 12.4 so it;s by default.

the feature is called spi-based nat.



Community Member

Re: ESP though pat

thanks a lot for your help.

regards .

CreatePlease to create content