25-39
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Configuring VPN Global Settings
Navigation Path
• For remote access VPNs, do one of the following:
–
(Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click
the NAT Settings tab.
–
(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector.
Select an existing policy or create a new one, then click the NAT Settings tab.
• For site-to-site VPNs, do one of the following:
–
Open the Site-to-Site VPN Manager Window, page 24-18, select a topology in the VPNs
selector, then select VPN Global Settings in the Policies selector. Click the NAT Settings tab.
–
(Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector.
Select an existing shared policy or create a new one, then click the NAT Settings tab.
Related Topics
• Understanding NAT in VPNs, page 25-37
• Configuring VPN Global Settings, page 25-29
Field Reference
Table 25-7 VPN Global Settings Page, NAT Settings Tab
Element Description
Enable Traversal Keepalive
Interval
Whether to enable NAT traversal keepalive. NAT traversal keepalive is
used for the transmission of keepalive messages when there is a device
(middle device) located between a VPN-connected hub and spoke, and
that device performs NAT on the IPsec flow.
If you select this option, configure the interval, in seconds, between the
keepalive signals sent between the spoke and the middle device to
indicate that the session is active. The value can be from 5 to 3600
seconds. The default is 10 seconds.
Note On Cisco IOS routers, NAT traversal is enabled by default. If
you want to disable the NAT traversal feature, you must do this
manually on the device or by using a FlexConfig (see
Chapter 7, “Managing FlexConfigs”).
Enable Traversal over TCP
TCP Ports
(Remote access VPNs only.)
Supported on ASA and PIX 7.0+ devices.
When selected, encapsulates both the IKE and IPsec protocols within a
TCP packet and enables secure tunneling through both NAT and PAT
devices and firewalls.
If you select this option, specify the TCP ports for which you want to
enable NAT traversal (NAT-T). You must configure TCP ports on the
remote clients and on the VPN device. The client configuration must
include at least one of the ports you set for the security appliance. You
can enter up to 10 ports.
Tip These ports are used for IKEv1 connections only. IKEv2 uses
ports 500 and 4500 for NAT-T. Ensure that any ports that you
specify are opened in the access rules for the applicable
interface.