I need to know what does nat-traversal command do in ASA and what is it used for




  • Hi,

    This command enables the ASA to perform NAT-T.

    NAT-T is useful when you are doing PAT, as ESP is a regular layer-4 protocol  but does not have any port information like TCP, UDP, etc. So if you are doing PAT (port address translation) it will break your ESP tunnel, unless you have NAT-T enabled. NAT-T will be negotiated during ISAKMP phase-1 (NAT-D messages on debug cry isakmp sa) and it will encapsulate your IPSec traffic in UDP datagrams, using port UDP port 4500.

    If you are using NAT-T always remember to allow not only UDP port 500 for ISAKMP but also UDP port 4500 on your ACLs.


    Good luck!


Sign In or Register to comment.