We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

How to do NAT inside IPSec VPN to fit Firewall Policy of VPN server?

Some customers inquire about applying NAT to traffic in an IPSec tunnel, that only a single IP address will be seen in the remote network. This is necessary in some VPN networks, because, some of the VPN servers, such as Cisco and Juniper, use one network for creating IPSec connection but allow a different IP address for accessing their local networks by their firewall policies, like the illustrated below:


Head Office Local Network IP:
Vigor2960 Local Network IP:
Head Office Router only accepts Vigor2960 to use IP to access its local network.
This article will show how to configure Vigor2960/3900 for meeting this purpose.


1. Go to VPN and Remote Access >> VPN Profiles >> IPsec page, click Add to create an IPsec LAN to LAN profile.

- Tick Enable

- Enter Local IP/ Subnet Mask

- Enter the IP of remote VPN server as Remote Host

- Enter Remote IP/ Subnet Mask




2. Go to Advanced tab, select Enable for Apply NAT Policy.

- Translated Local Network option will be visible after enabling Apply NAT Policy.

- Enter the IP that VPN server requests as Translated Local Network.
- In this example, it is a single IP so we shall select as the subnet mask.



After above configuration, Vigor2960 will translate the source IP to while the LAN clients want to access remote VPN network .

Was this article helpful?
25How to do NAT inside IPSec VPN to fit Firewall Policy of VPN server? has been viewed------ 25 ------times.