ASA and Nat-Traversal option

jimmycher used Ask the Experts™
Is there any reason you would turn off Nat-T on an ASA?

If it's on, and you don't use it, then no-harm-no-foul, right?

I ask because we get much different failures when we turn on NAT-T (i.e no connection), versus when we have it turned off (then we get IPSEC, but no data flow)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior infrastructure engineer
Top Expert 2012
Normally you wouldn't because it won't do no harm:

NAT Traversal

Traditionally, the IPSec tunnels fail to pass traffic if there is a PAT device between the peers. Cisco ASA uses ESP which does not have any Layer 4 information. Thus a PAT device usually drops IPSec packets. To remedy this problem, Cisco drafted an IETF standard called NAT Traversal (NAT-T) to encapsulate the ESP packets into UDP port 4500 so that the PAT device knows how to translate the encrypted packets. NAT-T is dynamically negotiated if the following two conditions are met:

Both VPN peers are NAT-T capable.
There is a NAT or PAT device between the peers.

But if for some reason that port 4500 is blocked in between there might be issues.

So when you turn it of you get an ipsec connection but no data going through? Perhaps that is a configuration issue?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

I took the liberty of adding the Cisco PIX/ASA and VPN zones to your question to see if we can get the attention of some additional experts.


Enabling Nat-T fixed the problem the second time around; unknown what happened the first time when it didn't work.   Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial