NAT-T Traversal on a Cisco ASA

cisco-asaipsecnat;

I'm trying to set up a IPSec VPN connection between a Cisco ASA and a Mikrotik router (which is behind a Fritzbox in DMZ mode). I think everything is set up correctly except for that NAT-T is missing on the Cisco.

On a Mikrotik you can enable NAT-T per peer, but on the Cisco it's globally. Does enabling NAT-T there break other active tunnels? Or is it just a detection mechanism if IPSec needs to traverse NAT / DMZ devices?

Best Answer

NAT Traversal performs two tasks:

Detects if both ends support NAT-T
Detects NAT devices along the transmission path (NAT-Discovery)

If NAT-T is enabled and client is behind NAT, then NAT-T is used

no NAT exists, then Native IPsec (ESP) is used

So not gonna affect your current tunnels.

Related Solutions

Cisco – BGP Multihoming with 2900’s – one /24 and 2 ASA 5510’s

I can't figure out why you are running two instances of OSPF on the the 2900's. This looks way more complicated than it needs to be. You can run OSPF in passive mode on the firewall and distribute a default route from the 2900's. You put a static route on the 2900's for your /24 pointed at your firewall outside IP. Since this is active/standby, if the firewall fails over, the IP address moves with the active firewall. There really is no need to announce anything from the firewall, it is just listening for a default. If you are announcing a default, there is really no need for HSRP either, that can go away. The firewall will just send the traffic to where it hears the default. It might well load balance to both 2900's, though.

Seems you are making it a lot more complicated than it needs to be. There is only ONE firewall address in this configuration so a static route will work just fine. Even so, there is no need for more than one OSPF instance and the only thing you are using that for is to handle the case where a router dies. Then the firewall uses the remaining path where it hears the remaining default route.

Cisco ASA 9.0(1) – NAT / PAT

Here's an example configuration for what you're looking to accomplish.

First create an object for you server:

object network SRV1
host 10.203.5.1

Next, create the PAT rule that uses your outside interface IP:

object network SRV1
nat (inside,outside) static interface service tcp 3389 10001

The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.

Finally, create your ACL rule:(assuming your access list name is outside_access_in)

access-list outside_access_in extended permit tcp any object SRV1 eq 3389

Rinse and repeat.

Best Answer

Related Solutions

Cisco – BGP Multihoming with 2900’s – one /24 and 2 ASA 5510’s

Cisco ASA 9.0(1) – NAT / PAT

Related Topic