4 Replies Latest reply: May 28, 2013 5:47 AM by Adnan Khan RSS

    Nat Traversal (transparency) over IPsec


      Okay so I am trying to fully understand NAT-T. I have read Cisco's documentation on it, I have looked for RFC's describing it but nothing seems very clear. I understand it will just wrap the packet in a UDP header to allow it through a NAT point but why does NAT interfere with IPsec in the first place?


      In my limited experience I have seen when a remote user is home behind a router performing NAT they can send traffic through the VPN to the PIX in the Corporate Office without NAT-T disabled but if you put the same user behind TWO devices that are NAT'ing they cannot pass traffic through the IPsec tunnel. Now, if I enable NAT-T on the PIX they are successful in passing traffic down the IPsec tunnel.


      What is happening here? Any insight would be much appreciated




        • 1. Re: Nat Traversal (transparency) over IPsec
          Keith Barker - CCIE RS/Security, CISSP

          Hello CJ-


          A long time ago, in a network far far away, PAT was in use.   The old PAT router would track UDP and/or TCP port numbers with overload, to keep tabs on which sessions went with which inside devices.


          Then along came IPSec, neither UDP or TCP, it is protocol #50.   A really old PAT device, that only PATs on UDP or TCP would freak out, and say how do I track that, (no ports.   New routers can track this with PAT just fine), and the ESP would fail due to a lack of translation.


          So, when 2 VPN NAT-T compatible endpoints notice that they are connected via NAT, they will err on the side of caution, and use UDP 4500 as a shim in front of the ESP header, so that a really old PAT device, can still track the sessions, due to the UDP shim there.


          Best wishes,



          • 2. Re: Nat Traversal (transparency) over IPsec



            Thanks for your response. That helps me understand how it functions now the only remaining question I have is why was it working when I was behind one router/firewall device with NAT-T disabled but not when I was behind two?


            Once I went behind to router/firewalls that were NAT'ing I was not able to carry traffic across the tunnel.


            In addition to that experience, there was a laptop connected to a tethered smartphone that would surf the internet and connect to the vpn just fine but was unable to reach any network behind the firewall (ie. it couldn't carry traffic through the tunnel) until I enabled NAT-T.


            If this is only needed for old devices...what are modern SO/** router/firewalls failing to carry traffic and also modern smartphones?





            • 3. Re: Nat Traversal (transparency) over IPsec
              Keith Barker - CCIE RS/Security, CISSP

              Hello CJ-


              In my story, I only intended to explain the basic purpose of NAT-T in the context of IPSec.


              Regrading your current scenario:


              Are one or both of your firewalls an ASA or PIX with ver 8.x or higer?


              Are both firewalls attempting/performing NAT?


              Is the ipsec passthrough option configured one of the firewalls.


              There are many variables.



              • 4. Re: Nat Traversal (transparency) over IPsec
                Adnan Khan


                Nice explanation. I was looking this info.

                Adnan Khan