Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT-T needs no config changes in 12.2(15)T10

I have updated from 12.2(8)T10 to 12.2(15)T10 to take advantage of the NAT-T functionality. I was under the impression that I did not need to make any changes to the config - especially inbound ACLs. What I find though is that I have to add:

access-list 100 permit udp any host 67.X.Y.Z eq 4500 for the inbound client connections to get past IKE.

The UDP eq 4500 gets translated by IOS to UDP eq "non500-isakmp" by the way.

Am I missing something here???

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NAT-T needs no config changes in 12.2(15)T10

You don't have to make any crypto command changes, the router will automatically negotiate to use NAT-T without you doing anything.

If NAT-T is negotiated though, then all packets will be encapsulated into UDP/4500 packets, so of course if you have an inbound access-list you have to then allow those packets in, otherwise they'll simply be dropped at the interface. The "non500-isakmp" is just the naming convention the IOS guys came up with to signify NAT-T packets.

3 REPLIES
Cisco Employee

Re: NAT-T needs no config changes in 12.2(15)T10

You don't have to make any crypto command changes, the router will automatically negotiate to use NAT-T without you doing anything.

If NAT-T is negotiated though, then all packets will be encapsulated into UDP/4500 packets, so of course if you have an inbound access-list you have to then allow those packets in, otherwise they'll simply be dropped at the interface. The "non500-isakmp" is just the naming convention the IOS guys came up with to signify NAT-T packets.

New Member

Re: NAT-T needs no config changes in 12.2(15)T10

Glenn - thanks for the clarification. The documentation seemed to indicate that dynamic entries would be made to any outside facing ACLs. Maybe I need to read the docs a little closer. I understand the "non500-isakmp" - I just like the way programmers use poetic license at times.

New Member

Re: NAT-T needs no config changes in 12.2(15)T10

I have a hub and spoke design where the spokes do IPSEC to 2 different Hub sites for redundancy and backup link. Do I need to configure a different port other than 4500 for the second tunnel?

268
Views
0
Helpful
3
Replies
CreatePlease to create content