2 Replies Latest reply on Jul 9, 2013 7:22 AM by noor

    NAT Over VPN

    pta200 New Member

      Are there any configuration examples for NAT over VPN tunnel?  The application in question is VPN access to some some servers at a city agency that require a VPN tunnel. Access also requires NATing our office IP scope with an address provided by the city agency to comply with their policy/access list. So the path would look something like

       

      192.168.20.0/24 --> NAT (10.224.1.1) -> VPN Tunnel -> Server IP 161.185.12.2

       

      thanks,

      Paolo

        • Re: NAT Over VPN
          Employee

          pta200 - Thanks for posting your question on the forum!

           

          The important thing to remember when configuring this application is mainly 2 points:

           

          1. The VPN selectors must match what the source and destination IP will be AFTER the traffic has been NATted.

          2. Instead of having an ALLOW in your firewall rules for VPN traffic, you will need to configure NATs for this traffic.

           

          The following thread has an example configuration in it that you may find helpful: Re: Same destination LAN on each end of a VPN tunnel.

           

          Also, example #2 in the guide below has a similar setup with a sample configuration as well:

           

          Configuring NAT Pools in AOS

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

          • Re: NAT Over VPN
            Employee

            pta200 -

            I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

             


            Thanks,

            Noor