Using nat-t, Enabling ipsec with ikev1 over tcp – Cisco ASA 5505 User Manual
Page 1367
 
64-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Configuring ISAKMP
When you enable NAT-T, the ASA automatically opens port 4500 on all IPsec-enabled interfaces.
The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the 
following networks, but not both:
•
LAN-to-LAN
•
Remote access
In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be 
coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in 
a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, 
the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a 
mixed LAN-to-LAN and remote access network of peers behind the NAT device.
Using NAT-T
To use NAT-T, you must perform the following tasks:
Step 1
Enter the following command to enable IPsec over NAT-T globally on the ASA:
crypto isakmp nat-traversal
natkeepalive
The range for the natkeepalive argument is 10 to 3600 seconds. The default is 20 seconds.
For example, enter the following command to enable NAT-T and set the keepalive value to one hour.
hostname(config)# crypto isakmp nat-traversal 3600
Step 2
Select the before-encryption option for the IPsec fragmentation policy by entering this command:
hostname(config)# crypto ipsec fragmentation before-encryption
This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede 
the operation of NAT devices that do support IP fragmentation.
Enabling IPsec with IKEv1 over TCP
IPsec/IKEv1 over TCP enables a Cisco VPN client to operate in an environment in which standard ESP 
or IKEv1 cannot function or can function only with modification to existing firewall rules. IPsec over 
TCP encapsulates both the IKEv1 and IPsec protocols within a TCP-like packet and enables secure 
tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default. 
Note
This feature does not work with proxy-based firewalls.
IPsec over TCP works with remote access clients. You enable it globally, and it works on all 
IKEv1-enabled interfaces. It is a client to the ASA feature only. It does not work for LAN-to-LAN 
connections.
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec over 
UDP, depending on the client with which it is exchanging data. IPsec over TCP, if enabled, takes 
precedence over all other connection methods.