Courseiva
VPNCCNA 200-301

IPsec NAT-T Not Working — VPN Behind NAT Failing

Presenting Symptom

VPN tunnel fails to establish or drops intermittently when one peer is behind a NAT device, with no IPsec security associations (SAs) formed.

Network Context

A small branch office with a Cisco 891 router behind a consumer-grade NAT router (e.g., ISP modem/router combo) connects to an enterprise headquarters with a Cisco 4331 router. The branch router runs IOS 15.7 and the HQ router runs IOS 16.9. The branch router's outside interface gets a private IP (192.168.1.100) and the NAT router translates it to a public IP. IPsec is configured with IKEv1 and preshared keys.

Diagnostic Steps

1

Check IPsec security associations

show crypto ipsec sa
interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 192.168.1.100
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
   current_peer 203.0.113.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encaps: 0
    #pkts decrypt: 0, #pkts encrypt: 0
    #pkts verify: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompress: 0
    #pkts not compressed: 0, #pkts not compr: 0
    #pkts no sa (send): 0, #pkts no sa (recv) 0
     local crypto endpt.: 192.168.1.100, remote crypto endpt.: 203.0.113.5
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

If no SAs are present (spi=0x0), the tunnel is not established. The local address shows the private IP (192.168.1.100) instead of the NAT-translated public IP, indicating NAT-T may not be negotiating correctly.

2

Check IKE phase 1 status

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF   Status Encr Hash Auth DH Lifetime Cap.
1001  192.168.1.100   203.0.113.5            ACTIVE - des sha1 presh 2 23:59:54
1002  192.168.1.100   203.0.113.5            ACTIVE - des sha1 presh 2 23:59:54

If IKE SAs are present but IPsec SAs are not, the problem is likely in phase 2. If no IKE SAs, the issue is in phase 1. Note the local address is private, which may cause NAT-T issues.

3

Verify NAT-T is enabled and negotiate

show crypto ipsec transform-set
Transform set ESP-AES-256-SHA: { esp-256-aes esp-sha-hmac }
   will negotiate = { Tunnel,  },
   {  }

Check that the transform set does not explicitly disable NAT-T. NAT-T is enabled by default in IOS but can be disabled with 'no nat-transparency'. If the transform set includes 'mode transport', NAT-T may not work.

4

Check for NAT-T negotiation in debugs

debug crypto ipsec 6
IPSEC(validate_proposal): transform proposal not supported for identity: 
  local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
  local address: 192.168.1.100
  remote address: 203.0.113.5
  remote port: 500
  local port: 500
  NAT-T: not detected

The debug shows 'NAT-T: not detected' meaning the router does not detect NAT between itself and the peer. This can happen if the router's outside interface IP is private but the router does not realize it is behind NAT. The router must be configured to force NAT-T.

5

Check crypto map configuration for NAT-T settings

show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
    Peer = 203.0.113.5
    Extended IP access list 100
        access-list 100 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
    Current peer: 203.0.113.5
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={TSET,}
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

Look for any 'set nat-transparency' or 'set nat-t' lines. If absent, NAT-T uses default behavior which may not force encapsulation. The router may not detect NAT if the outside interface is not configured with a public IP.

Root Cause

The branch router's outside interface has a private IP address (192.168.1.100) but the router does not detect NAT because it is not configured to force NAT-T encapsulation. By default, Cisco IOS uses NAT-T only when it detects a NAT device in the path. Since the router's outside interface is private, it should detect NAT, but sometimes the detection fails due to the NAT router not altering the source port or the router's NAT detection mechanism being unreliable. The fix is to force NAT-T encapsulation using the 'crypto ipsec nat-transparency udp-encaps' command or by setting 'set nat-t' in the crypto map.

Resolution

1. Enable NAT-T globally (if not already): Router(config)# crypto ipsec nat-transparency udp-encaps 2. Alternatively, force NAT-T on the crypto map entry: Router(config)# crypto map CMAP 10 Router(config-crypto-map)# set nat-t 3. Ensure the outside interface has 'ip nat outside' if using NAT on the router itself, but in this scenario NAT is on the ISP router, so not needed. 4. Clear existing IKE and IPsec SAs to renegotiate: Router# clear crypto sa Router# clear crypto isakmp

Verification

1. show crypto ipsec sa | include local crypto endpt. Expected: local crypto endpt.: 192.168.1.100, remote crypto endpt.: 203.0.113.5 (Note: local address remains private, but SAs should be established) 2. show crypto isakmp sa Expected: Status ACTIVE for both IKE SAs (one for port 500, one for port 4500) 3. show crypto ipsec sa | include #pkts encaps Expected: #pkts encaps: >0, #pkts encrypt: >0 (traffic flowing) 4. debug crypto ipsec 6 | include NAT-T Expected: NAT-T: detected (or NAT-T: new style encapsulation)

Prevention

1. Always configure 'crypto ipsec nat-transparency udp-encaps' on routers that may be behind NAT, even if not currently behind NAT, to ensure compatibility. 2. Use static NAT or ensure the router's outside interface has a public IP when possible to avoid NAT complications. 3. Test VPN establishment with debug commands during initial deployment to confirm NAT-T negotiation.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where a VPN tunnel fails to establish when one peer is behind NAT. The exam may present a multiple-choice question asking why the tunnel is down, with options like 'NAT-T not enabled', 'ACL mismatch', or 'transform set mismatch'. The key fact a candidate must know is that NAT-T uses UDP port 4500 to encapsulate IPsec packets, and it must be enabled if a NAT device is present between peers.

Exam Tips

1.

Remember that NAT-T is enabled by default in IOS but may need to be forced with 'crypto ipsec nat-transparency udp-encaps' if detection fails.

2.

The exam may test that NAT-T uses UDP port 4500; if the firewall blocks port 4500, the tunnel will fail.

3.

Know the difference between 'set nat-t' in crypto map (forces encapsulation) and global 'crypto ipsec nat-transparency udp-encaps' (enables NAT-T globally).

Commands Used in This Scenario

debug crypto ipsec

Use this command to enable real-time debugging of IPsec security association (SA) negotiations and packet processing, typically for troubleshooting VPN connectivity issues.

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions