25-38
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Note When you enable PAT on Cisco IOS routers, an additional NAT rule is implicitly created for
split-tunneled traffic on deployment. This NAT rule, which denies VPN-tunneled traffic and permits all
other traffic (using the external interface as the IP address pool), is not reflected as a router platform
policy. You can remove the NAT rule by disabling this feature. For more information, see NAT Page:
Dynamic Rules, page 23-10.
You can configure traffic to bypass NAT configuration on site-to-site VPN traffic. To bypass NAT
configuration on Cisco IOS routers, make sure the Do Not Translate VPN Traffic option is selected in
the NAT Dynamic Rule platform policy (see NAT Dynamic Rule Dialog Box, page23-11). To exclude
NAT on PIX Firewalls or ASA devices, make sure this option is selected in the NAT Translation Options
platform policy (see Translation Options Page, page 23-15).
About NAT Traversal
NAT traversal is used for the transmission of keepalive messages when there is a device (middle device)
located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow.
If the IP address of the VPN interface on the spoke is not globally routable, the NAT on the middle device
replaces it with a new globally routable IP address. This change is made in the IPsec header, and violates
the checksum of the spoke causing a mismatch with the hub’s checksum calculation. This results in loss
of connectivity between the hub and the spoke.
With NAT traversal, the spoke adds a UDP header to the payload. The NAT on the middle device changes
the IP address in the UDP header, leaving the IPsec header and checksum intact. On a middle device that
uses static NAT, you must provide the static NAT IP address (globally routable) on the inside interface.
The static NAT IP address is provided for all traffic through that interface that requires NAT. However,
if the middle device uses dynamic NAT where the NAT IP address is unknown, you must define dynamic
crypto on the hub to serve any connection request from the spoke. Security Manager generates the
required tunnel configuration for the spoke.
Note NAT traversal is enabled by default on routers running IOS version 12.3T and later. If you want to disable
the NAT traversal feature, you must do this manually on the device or using a FlexConfig (see Chapter7,
“Managing FlexConfigs”).
You can define global NAT settings on the NAT Settings tab of the Global VPN Settings page as
described in Configuring VPN Global NAT Settings, page 25-38.
Configuring VPN Global NAT Settings
Use the NAT Settings tab of the Global Settings page to define global Network Address Translation
(NAT) settings that enable devices that use internal IP addresses to send and receive data through the
Internet.
Note For site-to-site VPNs, if you want to bypass NAT configuration on IOS routers, make sure that the Do
Not Translate VPN Traffic option is selected in the NAT Dynamic Rule platform policy (see NAT
Dynamic Rule Dialog Box, page 23-11). To exclude NAT on PIX Firewalls or ASA devices, make sure
this option is selected in the NAT Translation Options platform policy (see Translation Options Page,
page 23-15).