topic Re: NAT-T and VPN issues with a CISCO Firepower in Firewall and Security Management

NAT-T and VPN issues with a CISCO Firepower

ArathCG — Mon, 07 Mar 2022 20:59:55 GMT

How's it going?

I have a question that I would like to clarify.
I have a 6600 appliance which cannot establish a VPN with a CISCO Firepower, I have global NAT-T enabled in the appliance properties. On the CISCO side they use UDP encapsulation, but on the Check Point side the tunnel is established through IPSec and not NAT-T. So the behavior seems strange to me.
I changed offer_nat_t_initator parameter to true in order so if the peer wants to switch to using NAT-T port 4500 during the negotiation, we will offer it.

But this didn't work.

Can NAT-T be forced over a specific tunnel?

Re: NAT-T and VPN issues with a CISCO Firepower

Magnus-Holmberg — Mon, 07 Mar 2022 21:15:07 GMT

Had alot of issues with NAT-T and most have been resolved by changing to ike version2.

Re: NAT-T and VPN issues with a CISCO Firepower

ArathCG — Mon, 07 Mar 2022 22:06:48 GMT

Hi Magnus.
Thanks for the comment. I forgot to mention that I am working on IKEv2.