NAT-Traversal in an IPSEC Gateway

NAT-Traversal in an IPSEC Gateway

Created On 09/25/18 18:01 PM - Last Modified 06/12/23 08:30 AM



NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers.

Note: Encapsulating IPSEC in UDP is likely to require an adjustment to the MSS on the firewall and on devices between the firewall and the internet because of the extra headers. Palo Alto Networks firewalls have the option to automatically adjust the MSS.

6-8-2012 1-13-06 PM.png


Enabling NAT traversal via the GUI

  • Selecting the "Enable NAT Traversal" checkbox on the IKE Gateway configuration screen.


Enabling NAT traversal via the CLI

  • # configure
  • # set network ike gateway <gw name> protocol-common nat-traversal enable no (yes)
  • # commit


owner: panagent

  • Print
  • Copy Link

Choose Language