Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

need to disable ipsec nat-t on router

All,

I will need to run ipsec in esp, what is the command to disable nat-t on a router? I have tried "no crypto ipsec nat-transparency udp-encaps" but still see packets in udp 4500.

Thanks,

7 REPLIES
Cisco Employee

Re: need to disable ipsec nat-t on router

That command disables it, however it disables the fact that the router will reply back on udp 4500, if the remote party (peer or client) has this feature enabled and nat is found on the path then it will still receive those packets.

New Member

Re: need to disable ipsec nat-t on router

Thanks for your reply. I have both sides configured with "no crypto ipsec nat-transparency udp-encaps". Still seeing UDP 4500. There are two nat deivces in the path.

Cisco Employee

Re: need to disable ipsec nat-t on router

This command disables the feature, please get the output of the show crypto ipsec sa and the debug cry isakmp.

New Member

Re: need to disable ipsec nat-t on router

Hi yuhuiyao,

I have similar intentions in my network. but when I tried in lab testing i still get IPSec packet encrypted and tunnel built up even i disabled ipsec nat-transparency on both routers. I tried to use different router model and still get IPSec packet encrypted. You can see my scenario in this simple network diagram:

Note: my ios 12.2 does not have nat-t support yet

Test 1:

R7(ios 12.2)--------------------(R3-nat device)-----------------------R8(ios 12.2)      Result: IPSec tunnel is established

Test 2: (typed no crypto ipsec nat-transparency udp-encaps on both IPSec ends)

R1(ios 12.4)--------------------(R7-nat device)-----------------------R3(ios 12.4)      Result: IPSec tunnel is established

Have you solved your problem already since March 2009?

Sincerely,

Lorenz

Cisco Employee

Re: need to disable ipsec nat-t on router

Hi Lorenz,

By tunnel established you mean IPSEC ESP tunnel or IPSEC NAT-T UDP 4500 tunnel?

New Member

Re: need to disable ipsec nat-t on router

Hi Ivan,

It is the IPSec ESP tunnel. I tried issuing the command "no crypto ipsec nat-transparency udp-encaps"
and "no crypto ipsec nat-transparency spi-matching" on both VPN endpoints.

I noticed however, that when the NAT device is changed to PAT, then the NAT-T feature begin to take part.

Is the NAT-T limited by PAT (interface overload) only?


Lorenz

New Member

Re: need to disable ipsec nat-t on router

Hi Ivan,

In my testing here are my findings:

Given the diagram:

R1(ipsec endpoint)(g0/0)--------------------R7(nat device)----------------------------R3(ipsec endpoint)

R7 translates R1's g0/0 IP address

1. Static NAT - dont care (this means when NAT-T is on, packet is udp-encapsulated, if not, then usual encaps)
2. Static PAT (overload) - working (means NAT-T must be configured on both tunnel endpoints for udp-encaps)
3. Dynamic NAT - not working (no tunnel. IKE Phase 1 fails negotiation)(see debug outputs)

Could you do a similar test on your end so we can prove this scenario?

Regards,

Lorenz

1598
Views
0
Helpful
7
Replies