Crypto isakmp nat traversal


Nat traversal

What is the exact use of nat traversal .Can every body explain with a scenario.

Solved! Go to Solution.

If a far off client is coming from a direct public ip deal with.. like a publically hosted server, then it connects over the choices tunnel just like the normal tunnel establishes.. over UDP port 500, but if a customer comes from behind a NATd ip cope with.. like airtel ADSL modem.. where u have a priv ip address.. but ISP PATs/NATs it.., then it connects over UDP 500.. however is encapsulated by using every other header.. the choices NAt-T header.

and it communicates over UDP 4500…  then on the choices headend tool.. like ASA you want to have NAT-T enabled 

when u have NAT-T enabled.. both NATd clients and clients with public ip could be able to join

however if u dont then handiest customers wih public ip will b able to conenct

and also on the choices VPN client.. u want to have a take a look at on  Enable Transparent Tunneling  and the radio button have to be decided on for IPSEC over UDP (NAT/PAT)

that is under the choices VPN Profile ur connecting to on the delivery tab http://www.cisco.com/en/US/doctors/protection/asa/asa83/command/reference/c5.html#wp2264331

by using default on ASA NAT-T is enabled  crypto isakmp nat-traversal is the command

I wish this helps.

View answer in original put up

I woudl be capable of provide an explanation for you in detail, if you could allow me know what are you trying to perform on the tool and with whihc tool are you working with.

we’re the usage of asa 5520 in our environment.I  am  going through a hassle ie  able to connect to vpn from outdoor network to lan however not capable of take a far flung of lan computer from particular network connection (airtel isp).

But whilst i try this from other provider company like reliance i’m able to take far off.

If a faraway patron is coming from a right away public ip cope with.. like a publically hosted server, then it connects over the tunnel just like the regular tunnel establishes.. over UDP port 500, but if a patron comes from behind a NATd ip cope with.. like airtel ADSL modem.. wherein u have a priv ip deal with.. but ISP PATs/NATs it.., then it connects over UDP 500.. but is encapsulated by way of some other header.. the NAt-T header.

and it communicates over UDP 4500…  then on the choices headend device.. like ASA you need to have NAT-T enabled 

whilst u have NAT-T enabled.. both NATd customers and customers with public ip can be able to join

however if u dont then only customers wih public ip will b able to conenct

and additionally on the VPN client.. u need to have a test on  Enable Transparent Tunneling  and the choices radio button should be decided on for IPSEC over UDP (NAT/PAT)

this is under the VPN Profile ur connecting to on the shipping tab http://www.cisco.com/en/US/medical doctors/security/asa/asa83/command/reference/c5.html#wp2264331

by default on ASA NAT-T is enabled  crypto isakmp nat-traversal is the command

I wish this helps.

View solution in original post

In this case, does NAT-T will motive any issues at the same time as establishing section-1 tunnel among the choices end-customers ? 

In my scenario, I should see the choices Tunnel were given hooked up but I do no longer see any Tx and Rx bytes beneath the choices VPN Session. 

In this case, does NAT-T will reason any issues whilst establishing section-1 tunnel between the cease-clients ? 

In my scenario, I should see the choices Tunnel got installed however I do now not see any Tx and Rx bytes underneath the VPN Session.