NAT-T&l2l下的keepalive

Enable NAT−Traversal (#1 RA VPN Issue)
NAT−Traversal or NAT−T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys
SOHO router. If NAT−T is not enabled, VPN Client users often appear to connect to the PIX or ASA without
a problem, but they are unable to access the internal network behind the security appliance.
Note: With IOS 12.2(13)T and later, NAT−T is enabled by default in IOS.
Here is the command to enable NAT−T on a Cisco Security Appliance. The 20 in this example is the
keepalive time (default).
PIX/ASA 7.1 and earlier
pix(config)# isakmp nat−traversal 20
·
PIX/ASA 7.2(1) and later
securityappliance(config)# crypto isakmp nat−traversal 20
·
Note: This command is the same for both PIX 6.x and PIX/ASA 7.x.

-------------------------------------------------------------------------------------------------------------

Enable ISAKMP Keepalives
If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN−to−LAN VPN tunnels and
LAN−to−LAN tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint
monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes
unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN
endpoints must support them.

Use these commands to configure ISAKMP keepalives on the PIX/ASA Security Appliances:
Cisco PIX 6.x
pix(config)# isakmp keepalive 15
¨
Cisco PIX/ASA 7.x, for the tunnel group named 10.165.205.222
securityappliance(config)# tunnel−group 10.165.205.222
ipsec−attributes
securityappliance(config−tunnel−ipsec)# isakmp keepalive
threshold 15 retry 10