How to do NAT inside IPSec VPN to fit Firewall Policy of VPN server?
Some customers inquire about applying NAT to traffic in an IPSec tunnel, that only a single IP address will be seen in the remote network. This is necessary in some VPN networks, because, some of the VPN servers, such as Cisco and Juniper, use one network for creating IPSec connection but allow a different IP address for accessing their local networks by their firewall policies, like the illustrated below:
Head Office Local Network IP: 192.168.188.1/24
Vigor2960 Local Network IP: 192.168.1.1/24
Head Office Router only accepts Vigor2960 to use IP 172.16.2.129 to access its local network.
This article will show how to configure Vigor2960/3900 for meeting this purpose.
1. Go to VPN and Remote Access >> VPN Profiles >> IPsec page, click Add to create an IPsec LAN to LAN profile.
- Tick Enable
- Enter Local IP/ Subnet Mask
- Enter the IP of remote VPN server as Remote Host
- Enter Remote IP/ Subnet Mask
2. Go to Advanced tab, select Enable for Apply NAT Policy.
- Translated Local Network option will be visible after enabling Apply NAT Policy.
- Enter the IP that VPN server requests as Translated Local Network.
- In this example, it is a single IP 172.16.2.129 so we shall select 255.255.255.255 as the subnet mask.
After above configuration, Vigor2960 will translate the source IP to 172.16.2.129 while the LAN clients want to access remote VPN network 192.168.188.0/24 .