ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
serpant2012
Member
Posts:
102
Joined:
Mon Jul 30, 2012 7:37 am
Certs:
A+ N+ Apple Desktop Support, CCENT, CCNA R\S

NAT Traversal

Tue Jun 28, 2016 8:15 am

Hello if someone can explain what NAT Traversal is that would be great.
I'm looking at our site-to-site tunnel in the crypto-map section and I see that NAT Traversal is enabled.
I tried searching the forum first however I couldn't find any clear-out as to what it does.

Thanks is advance, I appreciate it.

Have a good day!

ski
Senior Member
Posts:
303
Joined:
Sat Mar 31, 2012 5:01 pm
Certs:
CCNA CCNP CCIP CCNA Security

Re: NAT Traversal

Tue Jun 28, 2016 1:39 pm

NAT-T means that the VPN peer can be behind a NAT-ed IP address, like a DSL modem or sg like that.

Suppose you have a static public IP but you need a cable modem because your ISP uses coaxial cables and your VPN device does not have such an interface or you cannot configure PPPoE or whatever, then your router/firewall gets a private IP also on your outside interface from that modem and all traffic is natted by the that. In that case at the VPN negotiation phase the VPN devices can recognize that you are behind a NAT device.

This is just an option, does not influence the tunnel functionality, you can let it enabled.

thefan990
New Member
Posts:
21
Joined:
Thu Aug 11, 2011 9:28 am
Certs:
Network+, A+, Apple HelpDesk

Re: NAT Traversal

Tue Aug 02, 2016 1:58 pm

Hello ski,

Thank you for your explanation i think i get it. So if my firewall has a 192.168.100.254 address, then the tunnel will see that i have a private address and will have to use my outside address oppose to my private to form the tunnel.

ski
Senior Member
Posts:
303
Joined:
Sat Mar 31, 2012 5:01 pm
Certs:
CCNA CCNP CCIP CCNA Security

Re: NAT Traversal

Fri Aug 05, 2016 12:10 pm

NAT-T plays a role when negotiating the tunnel parameters between you and your partner VPN device. It does not have anything to do with the traffic passing through it.

For a site-2-site tunnel, both partners have to have static IPs. To get a static IP, you can either get it directly from the ISP or you get a modem or some kind of telecom stuff, which owns it, and when you go through it, you will get natted to the static public IP.

NAT-T can only determine, whether your VPN endpoint has a direct, not ISP NAT-ted internet connection or not. That's all.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 52 guests