By default, Cisco devices "auto-discover" whether native IPSec or NAT-T should be used during an IPSec negotiation.  This is not ideal, as it can change spontaneously and cause an outage.

There are two places where NAT-T can be configured; the first (set in IKE Parameters) is a system-wide setting, and the second (set on the Crypto Map) applies to a specific connection.

Here is a table showing the results of the combined settings:


Here is a screenshot showing the "system-wide" setting in IKE Parameters.  If this checkbox is not ticked, no connections on the device will be able to use NAT-T.cisco1.png

The following screenshot shows the NAT-T setting for a specific Crypto Map; this is where you should configure the NAT-T setting for a specific connection.  You will not be able to use NAT-T if the checkbox on the IKE Parameters page is not ticked.


When you run: 'show running config' you will NOT see the following 'nat-t disable' messages:

NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.