I'm running IOS 12.4(3a) on my router 2821. The router is doing NAT for certain IPs and acting as VPN L2L termination point. My network setup as follow:
My Router ------ ASA ------- Internet Router ------ Peer Router
The same interface on the router used for NAT and IPsec termination.
Actually the IPsec traffic passed all the way through the ASA firewall to the internet router finally to the destination Peer router. I?ve noticed that I have to enable NAT-T on ASA to bring the IPsec tunnel up and running, I did it and it?s up.
But now my router negotiates the ISAKMP SA on port 4500 because of NAT-T and the peer router responds back on port 500, it?s a mess, for every 100 ICMP sent packets I got almost 15 ? 20 dropped packets which it is unacceptable behavior at all.
I need to know the possibility to have a workaround to avoid NAT-T or configuring QOS.
NAT-T implemented on the ASA not on the VPN router to permit the IPsec tunnel to be established through it.
I'm totally agree with u on point 2 but once I disabled the NAT-T on the ASA I can't initiate the VPN connection from my side (the remote side should initiate the connection to bring the tunnel up). something strange!!
NAT-T on the ASA should only be needed for clients terminating a VPN tunnel on the ASA from behind a NAT device outside (like a home Linksys router). Do you have a static one to one NAT on the ASA to translate your inside router to an outside address or does the router fall into a nat pool that translates to a global outside address?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...