This is the default behavior for IOS based IPSec endpoints. During the phase 1 negotiation, both devices will identify whether NAT is present in the path between peers and will utilize UDP 4500 encapsulation automatically.
You can disable NAT-T support in IOS using the "no crypto ipsec nat-transparency udp-encapsulation" command. NAT-T is negotiated between Cisco endpoints and cannot be fixed. Without NAT-T support, IOS will continue to encap using UDP 500.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...