What is NAT traversal in IPSec?

Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port.

What port should you open to enable IPSec over NAT?

UDP port 500
A: To make IPSec work through your firewalls, you should open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through your firewalls.

Why NAT traversal is used in IPSec?

Nat Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. It is clear NAT and IPsec are incompatible with each other, and to resolve this issue, NAT Traversal was developed.

Why does IPSec use port 4500?

UDP port 500 is the ISAKMP port for establishing PHASE 1 of IPSEC tunnnel. And UDP 500 is for ISAKMP which is used to negotiate the IKE Phase 1 in IPSec Site-to-Site vpn & is default port number for isakmp, used when there is no NATing in the transit path of the vpn traffic. This is why we need UDP 4500.

How does NAT traversal work in an IPSEC tunnel?

Shown below NAT is configured for traffic from Untrust to Untrust as PA_NAT device is receiving UDP traffic from PA2 on its Untrust interface and it is being routed back to PA1 after applying NAT Policy. Shown below is the bi-directional NAT rule for both UDP Ports 500 and 4500:

What kind of IP address do I need for NAT traversal?

Three ports in particular must be open on the device that is performing NAT for the VPN to work correctly. These ports are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE) and IP protocol 50 (ESP). The ultimate fix to NAT-Traversal is to use a public IP address on the firewall’s external interface.

When was the last update to IPsec NAT support?

IPsec NAT Transparency Last Updated: March 30, 2012 The IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec.

Do you need a Cisco account for IPsec NAT transparency?

An account on Cisco.com is not required. The IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec.