Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN NAT Traversal for Private Networks

I have noticed the following behavior with the Cisco VPN Client (4.x).

Conditions - Start a Remote Access Client IPSec Tunnel to a Cisco Firewall (PIX/ASA 6.x/7.x)

The Cisco Firewall is the perimeter firewall for a company network and has a public IP. It is also serving as a VPN Headend.

The Client is coming from a remote network using private IP addressing.

There are two cases to this:

Case 1 - Client is attached to a router/firewall that does NAT. The router/firewall has a public IP on the Internet. The client is directly behind the router/firewall on a single, flat network (typically In this situation, the client can VPN to the remote PIX/ASA/Cisco firewall even without NAT-Traversal enabled and everything works fine.

Case 2 - Now if we take a similar situation - client is on a private network behind a router/firewall that is on the Internet with a public IP. However, now the client has one or more routers between itself and the router/firewall with the public IP. In this case, the client can initiate a VPN connection to the remote PIX/ASA/Cisco firewall and successfully authenticate. However, the client will be unable to pass traffic to the networks behind the firewall. If we enable NAT-Traversal, the problems go away and everything works great. (Requires 6.3+ for PIX/ASA).

My question is, why does Case 1 work? Shouldn't they both fail without NAT-T enabled?

I run into this all the time and tell my clients. They do it and see that it works but they always want to know why and I'm not sure!

Any explanations would be greatly appreciated.



New Member

Re: VPN NAT Traversal for Private Networks

My understanding is,

As long as you don't have one to one NAT, you will need NAT traversal.

My situation is simple, i have one third party broadband router and two pc and home. If my office firewall doesn't enable NAT-T, i will not able to pass traffic.

What i do is on my Broadband router, i do one to one NAT to one of my PC...and the traffic will pass. However, PC 2 will not able to pass any traffic although the VPN client get establish.

Enable NAT-T at Firewall will allow both pc to pass traffic.

Cisco Employee

Re: VPN NAT Traversal for Private Networks


Couple of possibilities for Case 1 to work.

1. One to One Static Translation for the VPN Client.

2. Router/Firewall supports IPSEC PASSTHROUGH.

Let me know if it helps.



New Member

Re: VPN NAT Traversal for Private Networks

Just a thought, are the vpn clients getting an IP address from an ip pool on the pix? If so, do the additional routers behind the nat router with the public IP know how to route the address from the ip pool back to the client? Could be a routing issue.