Showing results for 
Search instead for 
Did you mean: 

VPN Tunnel over NAT

Level 1
Level 1


Is it possible to build a vpn-connection if the offical ip-address of one side is nated into a privat adress.

I will put the central endpoint of the VPN-Tunnels into a DMZ. The router will get an ip adress out of the range The firewall will nat an offical ip address into the ip address (example

Is this possible?

The central router is a cisco 3640. The home user will dial into the internet with a cisco 801.

What VPN technologie can I use with this hardware?

Thanks for every help.

Best regards

Peer Kohlstetter

4 Replies 4

Cisco Employee
Cisco Employee

YEs, this is possible. If it's a true one-to-one translation then you don't need to do anything, just point the client at the NAT'd address and everything should work fine.

If it's a one-to-many translation (PAT) then it'll still work. Both the concentrator and the client support the new standard NAT-T so if you enable it on both ends, they'll figure out that they're going through a NAT/PAT device and automatically encaspulate everything in UDP port 4500 packets. You can also enable either "IPSec over UDP" or "IPSec over TCP" in the client and concentrator to encapsulate everything in UDP port 10000 (default) or TCP packets, which also gets around PAT problems.

In short, you should have no problems.


does this mean that you can set-up a LAN to LAN tunnel with PAT in the middle?


Yep, should be able to as long as both ends support NAT-T.

One restriction on that is that only one end will be able to initiate the tunnel, since the device behind the PAT device won't be contactable directly. The device behind the PAT device will only be able to initiate the tunnel to the device on the Internet, not the other way around.