Enabling ipsec over nat-t – Cisco ASA 5505 User Manual
Page 1366
 
64-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Configuring ISAKMP
The ASA uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN 
IKEv1 connections in main mode that authenticate with preshared keys.
The default setting is auto.
To change the peer identification method, enter the following command:
crypto isakmp identity
{address | hostname | key-id id-string | auto}
For example, the following command sets the peer identification method to hostname:
hostname(config)# crypto isakmp identity hostname
Enabling IPsec over NAT-T
NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec 
traffic in UDP datagrams, using port 4500, which provides NAT devices with port information. NAT-T 
auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is 
disabled by default.
Note
Due to a limitation of the AnyConnect client, you must enable NAT-T for the AnyConnect client to 
successfully connect using IKEv2. This requirement applies even if the client is not behind a NAT-T 
device.
With the exception of the home zone on the Cisco ASA 5505, the ASA can simultaneously support 
standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP, depending on the client with which it is 
exchanging data. 
The following breakdown shows the connections with each option enabled:
Note
When IPsec over TCP is enabled, it takes precedence over all other connection methods.
Address
Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Automatic
Determines ISAKMP negotiation by connection type:
•
IP address for preshared key.
•
Cert Distinguished Name for certificate authentication.
Hostname
Uses the fully qualified domain name of the hosts exchanging ISAKMP identity 
information (default). This name comprises the hostname and the domain name.
Key ID
Uses the string the remote peer uses to look up the preshared key.
Options
Enabled Feature
Client Position
Feature Used
Option 1
If NAT-T is enabled
and client is behind NAT, then NAT-T is used
and no NAT exists, then
Native IPsec (ESP) is used
Option 2
If IPsec over UDP is enabled
and client is behind NAT, then IPsec over UDP is used
and no NAT exists, then
IPsec over UDP is used
Option 3
If both NAT-T and
IPsec over UDP are enabled
and client is behind NAT, then NAT-T is used
and no NAT exists, then
IPsec over UDP is used