How to check if NAT-T is enabled on a Cisco ASA.



There are 2 places on a Cisco ASA where NAT-T needs to be turned on.

The ASA has to be "allowed" to use NAT-T (first setting), then it needs to be enabled for a specific site-to-site connection.

Here is a table showing the results of the combined settings:


FIRST - NAT-T must be enabled in IKE Parameters in order for any connection to have NAT-T working 


NEXT - EnableNAT-T  on the individual crypto map for the IPSec connection.


NOTE: This work was done in the Cohesive Networks test environment and should still be reviewed by your organization’s networking staff, and appropriate change control mechanisms used to deploy changes.

Have more questions? Submit a request