Our firewall has multiple site-to-site VPN's as well as it supports Remote Access VPN (using an ASA). A number of RA users who are coming behind a PAT'd address are unable to VPN in, after doing some research I am seeing that a line needs to be added on both firewalls, ie:
isakmp nat-traversal 20
I fear though that this will "hurt" the site-to-site VPN based on this document:
You are on the right path, "isakmp nat-traversal" should overcome the issues you are running with RA Users through PAT Device.
And Technically, by enabling "isakmp nat-traversal", you should not run into any issues with L2L Tunnels. Atleast, that is what I have seen with Cisco VPN Servers. In case, if you have L2L Tunnels configured to third party vendors, I would recommend that you enable this command during a "Maintenance Window" and if possible, clear the isakmp and ipsec sa's, and re-establish the tunnels. So, you know for sure that enabling the command did not break the L2L Tunnel Configuration/behavior.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...