- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
How can I disable/enable NAT traversal in VPN settings?
10/14/2021 
43 People found this article helpful
113,460 Views
Description
NOTE: This article describes about NAT traversal taking tunnel mode and ESP protocol as an example, NAT traversal also supported in AH protocol and in transport mode.
What is NAT-T or NAT traversal in IPSEC VPN?.
Traditionally, IPSec does not work when traversing across a device doing NAT/PAT(Network Address Translation and Port Address Translation), meaning if either one of the devices or both the devices terminating IPSEC is behind a NAT device, IPSEC will not work. To overcome this problem, NAT-T or NAT Traversal was developed.
NAT-T is an IKE phase 1 algorithm that is used when trying to establish a IPSEC VPN between two gateway devices where there is a NAT device in front of one of the gateway devices or both the gateway devices.
What is the Purpose of using NAT-T feature?.
In IPSEC, all critical information along with UDP/TCP header is encapsulated within ESP or AH header, ESP and AH itself is an protocol like TCP or UDP and carries no port information.If a NAT device is in between two IPSEC gateways and doing many to one NAT, it needs to do PAT(Port address translation) as well to maintain a consistent and proper session table. If a packet is encapsulated by ESP or AH header, PAT/NAT device will not have port information to translate source port and result is IPSEC traffic will not pass through the PAT/NAT device.When we use NAT-T Feature, IPSEC traffic is encapsulated using UDP header with source and destination port number as 4500 and provides port information for the NAT device to do Port Address Translation. How does NAT-T or NAT traversal works: In IKE main mode, first two messages detect whether NAT-T feature is supported on the IPSEC gateways and three and four messages detects whether there is NAT device between IPSEC gateways. If IPSEC gateways support NAT-T feature, both devices send NAT-D(NAT Discovery) payload, payload is the hash of source and destination IP and Source and destination port, receiving device will recalculate the hash, if hash matches there is no NAT device in between, if hash doesn't match there is a NAT device in between. If the IPSEC gateways detects an existence of NAT device, from message five and six of Phase 1, all IPSEC packets are encapsulated using UDP header with source and destination as port 4500(including quick mode messages and user data).
Packet Format of ESP in tunnel Mode without NAT-T
Packet Format of ESP in tunnel Mode with NAT-T: 
NOTE: To perform NAT traversal process both the IPSEC gateway devices should support NAT-T even though a particular device is not behind NAT device.
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- Navigate to Manage | Connectivity | VPN | Advance settings | Enable/Disable NAT traversal.
- By default in all SonicOS, NAT traversal will be enabled.
NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- Navigate to VPN settings|Advance settings| Enable/Disable NAT traversal.
- By default in all SonicOS, NAT traversal will be enabled.
NOTE: NAT traversal feature in SonicWall is a global settings, changing this settings will affect all Global VPN and site to site VPN policies, also note that enabling this feature will not have impact on normal VPN working even though IPSEC gateways are not behind NAT device but disabling this feature will have impact the VPN policies where IPSEC gateway is behind NAT device.
Related Articles
- 2FA authentication error using TOTP "Please try again later"
- Methods to add Address Objects
- Configure probe monitoring for WAN Failover and load balancing
Categories
- Firewalls > TZ Series > VPN
- Firewalls > NSa Series > VPN
- Firewalls > NSv Series > VPN
YES
NO