top of page
Search
Celal
Jun 7, 2022

How does the NAT-Traversal work in IPSEC on Cisco ASA?

Many users use the modem in their homes. This modem automatically does NAT. I have told you the meaning of the NAT before the last post. Today I will talk about NAT-T(Nat traversal). Sometimes I need open the tunnel to somewhere behind the NAT. Generally, IPSEC works IP to IP. So, we must define from real-IP to real-IP to establish the IPSEC tunnel. If we don't have enough real-IP for defining or may need different, that time we use the NAT-T feature on our device. You can look at the following topology to understand what I talk about.

I have prepared a simple topology to understand NAT-T with Eve-ng.


Lab Environment;

Cisco Asa

Cisco Router

Scenario-1:

We assume that the IPsec tunnel was established before.

I haven't activated the NAT-T feature on the firewall behind the NAT. Let's look at what will happen?


When you start to throw a ping from Vpc-1 to Vpc-2, you will see the reply packet from Vpc-2. Everything is ok. where is the problem. Also, the IPSEC tunnel is up.


Also, Router-1 NAT output is below.

After a certain time, I couldn't ping from Vpc-2 to Vpc-1. What happened?

Also, when I try to throw ping from Vpc-2 to Vpc-1, I took the below error on Router-1. However, the IPsec tunnel is up and the Router-1 NAT table is proper. As if there is something is missing :)

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=1.1.1.2, prot=50, spi=0xD6F342C4(3606266564), srcaddr             =2.2.2.6, input interface=Ethernet0/1

As a result, the NAT router couldn't match the traffic which comes from Vpc-2 with any NAT rules. Because Nat Router doesn't know who owns the traffic.


The traffic has to be trigged from Vpc-1 to establish properly the NAT table again.

After this, you will see the different NAT tables and be able to throw ping from Vpc-2.

If you realize that there is no port number for the ESP packet. This is critical for the return traffic.


For this, you can find the Wireshark output at the bottom of this page.


Scenario-2:

To eliminate these disadvantages, the NAT-T feature was developed.

I have activated the NAT-T feature on both firewalls. Let's look at what will happen?

IPSEC is up and Ping is ok from Vpc-1 to Vpc-2.

Also, Router-1 NAT output is below.

4500 port appeared on the NAT table. What is the port 4500? This port is used by NAT-T. NAT-T feature has to be enabled for both firewalls. Both firewalls exchange NAT-D (NAT-Discovery) packets to understand whether there is NAT enabled device between them or not. If there is a NAT-enable device between them, all ISAKMP packets change from UDP port 500 to UDP port 4500. NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.

Also, To prevent NAT sessions from being aged or deleted, configure the NAT keepalive feature on the IKE gateway behind the NAT device to send NAT keepalive packets to its peer periodically to keep the NAT session alive. The default interval is 20 seconds.

Thanks for Reading.




4,055 views0 comments
  • Twitter

©2020, Founded by NetworkTcpIP.

bottom of page