NAT-Traversal in an IPSEC Gateway

NAT-Traversal in an IPSEC Gateway

113434
Created On 09/25/18 18:01 PM - Last Modified 06/12/23 08:30 AM


Resolution


Details

NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers.

Note: Encapsulating IPSEC in UDP is likely to require an adjustment to the MSS on the firewall and on devices between the firewall and the internet because of the extra headers. Palo Alto Networks firewalls have the option to automatically adjust the MSS.

6-8-2012 1-13-06 PM.png

 

Enabling NAT traversal via the GUI

  • Selecting the "Enable NAT Traversal" checkbox on the IKE Gateway configuration screen.

 

Enabling NAT traversal via the CLI

  • # configure
  • # set network ike gateway <gw name> protocol-common nat-traversal enable no (yes)
  • # commit

 

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language