Enabling Ipsec Over Nat-T; Using Nat-T - Cisco PIX 500 Series Configuration Manual

Chapter 27 Configuring IPSec and ISAKMP
Address
Automatic
Hostname
Key ID
The security appliance uses the Phase I ID to send to the peer. This is true for all VPN scenarios except
LAN-to-LAN connections in main mode that authenticate with preshared keys.
The default setting is hostname.
To change the peer identification method, enter the following command:
crypto isakmp identity {address | hostname | key-id id-string | auto}
For example, the following command sets the peer identification method to automatic:
hostname(config)# crypto isakmp identity auto

Enabling IPSec over NAT-T

NAT-T lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec
traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T
auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary. This feature is
disabled by default.
With the exception of the home zone on the Cisco ASA 5505, the security appliance can simultaneously
support standard IPSec, IPSec over TCP, NAT-T, and IPSec over UDP, depending on the client with
which it is exchanging data. When both NAT-T and IPSec over UDP are enabled, NAT-T takes
precedence. IPSec over TCP, if enabled, takes precedence over all other connection methods.
When you enable NAT-T, the security appliance automatically opens port 4500 on all IPSec enabled
interfaces.
The security appliance supports multiple IPSec peers behind a single NAT/PAT device operating in one
of the following networks, but not both:
•
•
In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be
coming from the same public IP address, that of the NAT device. Also, remote access tunnels fail in a
mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, the
IP address of the NAT device). This match can cause negotiation failures among multiple peers in a
mixed LAN-to-LAN and remote access network of peers behind the NAT device.

Using NAT-T

To use NAT-T, you must perform the following tasks:
Enter the following command to enable IPSec over NAT-T globally on the security appliance.
Step 1
OL-12172-03
Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Determines ISAKMP negotiation by connection type:
IP address for preshared key.
•
• Cert Distinguished Name for certificate authentication.
Uses the fully qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Uses the string the remote peer uses to look up the preshared key.
LAN-to-LAN
Remote access
Cisco Security Appliance Command Line Configuration Guide
Configuring ISAKMP
27-7