Palo Alto Networks Knowledgebase: NAT-Traversal in an IPSEC Gateway

NAT-Traversal in an IPSEC Gateway

(1923 Views)
Created On 09/25/18 18:01 PM - Last Updated 09/25/18 23:10 PM
Categories:  VPNs

Issue:


Solution:


Details

NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers.

Note: Encapsulating IPSEC in UDP is likely to require an adjustment to the MSS on the firewall and on devices between the firewall and the internet because of the extra headers. Palo Alto Networks firewalls have the option to automatically adjust the MSS.

6-8-2012 1-13-06 PM.png

Enabling NAT traversal via the GUI

  • Selecting the "Enable NAT Traversal" checkbox on the IKE Gateway configuration screen.

Enabling NAT traversal via the CLI

  • # configure
  • # set network ike gateway <gw name> protocol-common nat-traversal enable no (yes)
  • # commit

owner: panagent

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: