Network Address Translation (NAT) is a solution to the problem of the scarcity and cost of public IP addresses. An organization with a single public IP address can use a NAT device to connect multiple computers to the Internet sharing a single public IP address. However, NAT causes compatibility problems for many types of network applications, including VPN.
NAT Traversal enables detecting the presence of NAT devices along the path of the VPN tunnel. Once detected, the two peers tunnel IKE and IPSEC traffic through an agreed-upon UDP port, allowing the NAT device to work seamlessly with VPN. The standard UDP port used is port 4500; to find out the port number, use the show crypto ipsec sa command.
The Branch Gateway IPSec VPN feature supports NAT Traversal. If your installation includes one or more NAT devices between the local and remote VPN peers, NAT Traversal should be enabled, although in some rare cases it may not be required.
Note:
NAT Traversal is enabled by default. Configure NAT Traversal only if you need to re-enable it after it was disabled, using the no crypto ipsec nat-transparency udp-encapsulation command. NAT Traversal keepalive is also enabled by default (with a default value of 20 seconds). Configure NAT Traversal keepalive only if you need to re-enable it after it was disabled, using the no crypto isakmp nat keepalive command.
