Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

NAT -T

Can I Know what is NAT-T option, Which all scenarios we should enable this.

7 REPLIES
Cisco Employee

Re: NAT -T

Hello,

NAT-traversal is needed when a VPN endpoint is behind a nat device of some sort, typically a PAT device.  Due to the fact that ESP (encapsulating security payload - essentially the encrypted packet in most VPNs) is IP protocol 50 and doesn't have any TCP port numbers, it's impossible to PAT the ESP packet - so VPNs behind NAT devices will fail.


NAT-T allows both vpn endpoints to figure out that they are behind NAT, and will allow them to encapsulate the ESP packet in a UDP packet (port 4500) so that the NAT devices can then NAT the VPN traffic correctly.

You can read about Cisco nat-t here:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1035673

--Jason

New Member

Re: NAT -T

Is this only required when the PAT comes into the scene? Is this applicable for both Site to Site as well as Remote VPN?

Cisco Employee

Re: NAT -T

If any NAT is in the scenario, you should turn it on.  In general, NAT-T doesn't hurt anything, so having it enabled on all sides shouldn't impact anything.  You just need to be aware your traffic is travelling over UDP 4500 and that you'll have to allow that port through any filtering devices (firewalls, etc) as well as ISAKMP and ESP.

--Jason

New Member

Re: NAT -T

Suppose My VPN Device is ASA, and I have not terminated internet in firewall but the perimiter router and I have /30 between firewall and router. And I put a nat in router for the firewall outside interface. So Basically Natting happen in Router. And VPN termination will happen in Firewall. In this case, do we require NAT-T. Is this applicable for both Site-to-Site as well as Remote VPN??

[VPN DEVICE]<--------->[ROUTER]<------------------------>INTERNET<------------------------>-[VPNDEVICE]

                       private ip               public ip                                                         public ip

(I have only router(nat device) in one end)

Regards,

Manu B.

Cisco Employee

Re: NAT -T

Yes, NAT-T applies for both l2l and remote, and if you are natting any of the devices that are doing VPN, it is required.

--Jason

New Member

Re: NAT -T

You Mean to say, if you are natting the ip of the VPN termination device?? like my scenario posted above (vpndevice(fw) external ip is natted in router )

New Member

Re: NAT -T

One more Point to be cleared: NAT -T is only requires when PAT is used??

Please confirm the folowing packets:


[l2][ip][esp][transport][data][esp trailer][espauth][l2checksum]-->transport

[l2][new ip][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel

[l2][ip][UDP/TCP][esp][transport][data][esp trailer][espauth][l2checksum]-->transport with NAT-T

[l2][new ip][UDP/TCP][esp][ip][transport][data][esp trailer][esp auth][l2 checksum]-->tunnel with NAT-T

1221
Views
0
Helpful
7
Replies
CreatePlease to create content