Support for NAT and Port Address Translation
The Cisco Security Appliance supports ESP with NAT using a fixup protocol that allows for
application inspection of ESP. The Security Appliance also supports ESP with Port Address
Original IP Header
Original IP Header
TCP
ESP
Header
Data
TCP Data
ESP
Trailer
ESP
Authentication
Encrypted
Authenticated
IPv4 Packet Without ESP Encapsulation
IPv4 Packet with ESP Encapsulation
Original IP Header
Original IP Header
TCP
Header
Data
TCP Data
Authentication
IPv4 Packet Without Authentication Header
IPv4 Packet with Authentication Header
334 Chapter 13: Virtual Private Networks
Translation (PAT) by restricting ESP to a single port (port 0) but with only a single ESP
tunnel. The Cisco Security Appliance performs ESP tunnel serialization and the matching and
recording of Security Parameter Indexes (SPI) for each ESP connection. The SPI is a number
that combines with the destination IP address and security protocol to uniquely identify the
SA. AH does not support either a NAT or PAT device between the two AH peers.
Another feature supported by the Security Appliance is NAT Traversal. NAT Traversal
allows ESP packets to pass through one or more NAT devices. The command for NAT
Traversal is isakmp nat-traversal [natkeepalives]. The values for natkeepalives is between 10
and 3600 seconds.