NAT for traffic in VPN tunnels

You can configure NAT for traffic in VPN tunnels in the properties of the Policy-Based VPN element.

By default, IP addresses in traffic that enters or leaves a VPN tunnel are not translated. An option in the properties of the Policy-Based VPN element, accessible through the right-click menu for the policy-based VPN, defines whether NAT is applied to traffic in VPN tunnels.

If the option to translate the IP addresses is enabled, the IP addresses in traffic that uses site-to-site VPN tunnels are translated according to the NAT rules. There is nothing VPN-specific in creating these NAT rules. However, the VPN configuration is affected if local protected addresses are translated using NAT:
  • Set the Site element that contains the private local addresses (before translation) in the Private mode in VPNs in which those addresses are translated using NAT.
  • Add the translated addresses as a new Site for the gateway (disable the Site in other VPNs). This Site is in the default Normal mode.

VPN client traffic is translated according to the NAT Pool settings defined for the Firewall in the Engine Editor, or as defined in the NAT rules.