13 Replies Latest reply: Feb 16, 2015 6:00 AM by Farhan Siraj Patel RSS

    crypto isakmp nat-traversal

    Steven Williams

      What does this command do? I seem to have an issue my site to site VPN with my remote ASA and it looks like the ASA is complaining about this NAT-T thing on my local sonicwall...

        • 1. Re: crypto isakmp nat-traversal
          Conwyn

          Hi Hollywood

           

          It normally detects it. Paul will know.

           

          Regards Conwyn

          • 2. Re: crypto isakmp nat-traversal
            Paul Stewart  -  CCIE Security

            I'm not sure what devices are playing what roles in this environment.  However, my recollection is that nat-traversal is disabled by default on the ASA and enabled by default in IOS.  While it is enabled, it is only used when NAT is found in the path.  Therefore, it rarely causes an issue (and usually resolves issues) when enabled.  The challenge for VPN and NAT is that traffic is typically encapsulated into ESP.  ESP doesn't have ports like UDP and TCP.  So typical NAT overloading (PAT) techniques don't work.  Nat-traversal encapsulates the ESP into UDP to make it NAT friendly.  HTH.

            • 3. Re: crypto isakmp nat-traversal
              Steven Williams

              ESP does not have ports like UDP or TCP? I don't understand this? 

              • 4. Re: crypto isakmp nat-traversal
                Paul Stewart  -  CCIE Security

                TCP and UDP has source and destination ports.  For example, http is usually sent to port 80.  VPN's that are IPSec based use ESP or AH.  AH isn't commonly used because IP header modifications will result in packets being dropped.  ESP is what is typically used.  There are no source and destination ports in ESP.  The only identifiable information is SPIs.  So many routers that do nat overload struggle with this.  Remember that nat overload (aka PAT) works by identifying flows and mapping them to unique tcp or udp ports (source for outbound and destination for inbound).

                • 5. Re: crypto isakmp nat-traversal
                  Brian McGahan - 4 x CCIE, CCDE

                  ESP is a layer 4 transport protocol, just like TCP, UDP, EIGRP, OSPF, etc.  When TCP or UDP packets go through a NAT translation the router can keep track of not only the source and destination address, but the source and destination ports.  These four values - source address, source port, destination address, and destination port - make up the "flow".  The values in the flow are what allow the router to not only perform the NAT translation, but perform the Port Address Translation (PAT) or "overload".  This means that as long as one of these four values is unique in the flow, the router can translate.

                   

                   

                  For example you may have two inside hosts that are browsing to the same public web server, while the router in the middle is translating the source address of both inside local hosts to the same inside global address.  This is okay because at least one of the values in the flow is unique; even though the (new) source address, destination address, and destination port is the same, the source port is different because it's a random value.

                   

                   

                  With ESP, since it doesn't have port values (just like EIGRP or OSPF), it has problems going through Port Address Translations, since here are less unique values that can identify the flow.  For example suppose that you have two remote workers staying at the same hotel, and they're both trying to VPN into the main office router.  If the border router is doing a NAT overload to its outside address, the NAT process has no way to distinguish one VPN session from another.  This is because they would both have the same source address, destination address, and layer 4 protocol (ESP).  Even though in the payload of the packets the sessions are different, e.g. have different IPsec SPIs, the NAT process doesn’t know this.  This is why sometimes when you’re on a public WIFI network, like at a hotel, it’ll ask you if you need a public address for VPN purposes.  This allows them to do a 1:1 ESP NAT translation for your particular host.

                   

                   

                  Another option is to do NAT Traversal/Transparency (NAT-T).  In this case the ESP traffic is tunneled inside of UDP (typically over UDP port 4500), which then allows the NAT process of the border router to uniquely identify the flow based on the source address, source UDP port, destination address, and destination UDP port, even if two inside hosts have VPN connects to the same outside server.  This is effectively what the crypto isakmp nat-traversal command does.  It allows the ASA so offer NAT-T to the remote access VPN clients that are trying to connect to it.  Without this the remote clients would need public addresses or a 1:1 ESP translation on their border routers.

                  • 6. Re: crypto isakmp nat-traversal
                    Fabio - FW specialist

                    In my daily experience is better to have the same nat-t configuration on both-side.

                    I suggest to verify also the security policy into all firewall between your two ends, due to permit the port UDP/4500 needed for IPSEC NAT-T.

                     

                     

                    Bye,

                    • 7. Re: crypto isakmp nat-traversal
                      Miles

                      I'm even more confused!...even though the above explinations were great.

                      Since its "crypto isakmp nat-transversal"

                      Why would isakmp be effected by NAT/PAT if it runs on UDP 500?

                       

                      Also, why wouldn't it be "crypto ipsec nat-transversal" if for what it's doing is helping ESP get through NATing.

                       

                      Sorry if these are stupid questions!

                      • 8. Re: crypto isakmp nat-traversal
                        Brian McGahan - 4 x CCIE, CCDE

                        The IPsec tunnel is negotiated via ISAKMP.  The command could just as easily have been implemented as crypto ipsec nat-traversal, but it wasn't.  The end result just means that NAT-T can be offered if the feature is on.

                        • 9. Re: crypto isakmp nat-traversal
                          Ramanathan C

                          Thanks Brain for your explanation on NAT-T...

                          • 10. Re: crypto isakmp nat-traversal
                            dmorrow

                            Thanks Brian for the explanation. The NAT-T explanation in particular it solved my issue.

                             

                            I wasn't sure why it wasn't enough to have ipsec nat-traversal enabled on the client side router as I thought the VPN client would detect this NAT in path, that was up until I read you mentioning it needing to be enable on the VPN headend device in order for it to be offered to the VPN client.

                             

                            I read this article to get the detailed behind the scenes understanding of the NAT detection process. So thought I would post it for anyone who my be interested in additional reading on this subject;

                            See IKE Phase 1 Negotiation: NAT Detection

                            http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

                            • 11. Re: crypto isakmp nat-traversal
                              Elvin Arias

                              This is a great explanation. Thanks Brian.

                               

                              Elvin

                              • 12. Re: crypto isakmp nat-traversal
                                Florin Bârhală

                                Hi Brian,

                                 

                                Great explanation!

                                When dealing with a classic site-to-site where just one of the vpn_peer is behind a NAT device, where do we have to enable NAT-T?

                                 

                                I am thinking of two possible answers:

                                1. Only on the vpn_peer with public IP address, that will deal with NAT translations once it will try to establish the tunnel

                                2. On BOTH vpn_peers as NAT-T requires to be enabled on each end so NAT-T-Discovery messages can flow in between

                                • 13. Re: crypto isakmp nat-traversal
                                  Farhan Siraj Patel

                                  Thanks.

                                   

                                  Extremely informative.

                                   

                                  Regards,

                                  Farhan Patel