Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

VPN and NAT

I'm doing a new VPN config on an ASA 7.2(1). Trying to find out if I should use IPSec over TCP, IPSec over UDP or NAT-T.

Any comments on which is better?

3 REPLIES

Re: VPN and NAT

Hi .. NAT-T is used for establishing an IPsec tunnel with a device located behind a device that does NAT .. If you are setting up a LAN to LAN vpn and your ASAs have public routable addresses then you only need IPsec .. no need for UDP encapsulation. NAT-T is commonly used for allowing users running vpn clients and which are behind a NAT device such as an ADSL router - to establish an encrypted tunnel to the corporate network.

I hope it helps .. Please rate it if it does !!!

Silver

Re: VPN and NAT

Sorry, should have been more specific. This is for remote access clients.

NAT-T, IPsec over TCP and UDP are used when normal IPsec communication can not operate normally like when behind a NAT and/or PAT device. Each is a differnt type of NAT transparency.

NAT-T still uses UDP but it has a fixed port 4500. It will also work with L2L tunnels.

I'm trying to figure out which one works the best.

Thanks,

Chad

New Member

Re: VPN and NAT

NAT-T works SIGNIFICANTLY better than plain IPSec over UDP. Home wireless/broadband routers seem to kill IPsec over UDP conections every few minutes. However, we've had the best luck long-term with IPSec over TCP.

There may be a performance impact in using TCP instead of UDP, but we haven't been able to benchmark it.

My reccomendation would be for a new deployment do it over TCP, but if you're in an existing deployment with the PCF's already set for UDP, RUN..don't walk ... to turn on NAT-T.

117
Views
0
Helpful
3
Replies
CreatePlease login to create content