When the remote peer is behind a NAT, the dynamic anchor still serves as a place holder in the ordered list of filter rules. However, the dynamic filters that are created when a phase 2 Security Association is created are handled differently. When the phase 2 negotiation is successful, the dynamic filter pair that is created contains the 5-tuple information for which the Security Association was negotiated:
In cases when the remote peer is behind a NAT, this 5-tuple might not be unique for a Security Association. An additional structure, a NATT anchor, is generated to anchor dynamic filters that share the same 5-tuple information. The dynamic filter is then an extension to the NATT anchor and is flagged as a NATT dynamic. For a sample display of NATT anchor and NATT dynamic filters, see Displaying active filters with the ipsec command.