What is NAT traversal in Cisco ASA?
crypto isakmp nat-traversal is the command. If a remote client is coming from a direct public ip address.. like a publically hosted server, then it connects over the tunnel like the regular tunnel establishes.. over UDP port 500, but if a client comes from behind a NATd ip address..
Why do we use port no UDP port 500 and UDP port 4500 in IPsec VPN?
And UDP 500 is for ISAKMP which is used to negotiate the IKE Phase 1 in IPSec Site-to-Site vpn & is default port number for isakmp, used when there is no NATing in the transit path of the vpn traffic. This is why we need UDP 4500.
What is ESP port?
ESP (Encapsulating Security Payload) is the most common protocol for encapsulation of the actual data in the VPN session. ESP is IP Protocol 50, so is not based TCP or UDP protocols. Because of this, NAT devices often have a problem with ESP (read on for more on this).
What ports are used for VPN?
Layer Two Tunneling Protocol (L2TP) uses UDP port 1701 and is an extension of the Point-to-Point Tunneling Protocol. L2TP is often used with IPSec to establish a Virtual Private Network (VPN). Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 and IP protocol 47 Generic Routing Encapsulation (GRE).
How does NAT traversal work on a VPN?
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2 (13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
How to disable NAT traversal on Cisco router?
There are no configuration steps for a router running Cisco IOS Release 12.2 (13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated. You may wish to disable NAT traversal if you already know that your network uses IPSec-awareness NAT (spi-matching scheme).
Can a NAT device do anything without IPsec?
Without NAT Traversal and new UDP Encapsulation of ESP packets with source port 4500 and destination 4500, the NAT Device cannot do anything. It is clear NAT and IPSec are incompatible with each other, and to resolve this NAT Traversal was developed.