Why can’t ESP packet pass through the PAT device?

It is because ESP is a protocol without ports that prevents it from passing through PAT devices.Because there is no port to change in the ESP packet, the binding database can’t assign a unique port to the packet at the time it changes to private address (,, address to the publically routable address. If the packet can’t be assigned a unique port then the database binding won’t complete and there is no way to tell which inside host sourced this packet. As a result there is no way for the return traffic to be untranslated successfully.