NAT is usually used to translate packets, which are tunneled inside an IPSec connection. The simplest method for NAT to work inside an IPSec VPN is to terminate IPSec before initiating NAT. The general recommendations are:
— Enable NAT and IPSec upon the same gateway, then the operating system (IOS or PIX/OS) will take care for a proper order of processing the packets
— Perform NAT "outside" the IPSec tunnel on a dedicated device, so that the incoming IPSec tunnel is terminated before packets are address-translated
If translation of the tunnel (IPSec) packets is required, NAT can be performed in the packet path on ESP tunnel mode packets, taking into account the aforementioned limitations.
PAT and IPSec
PAT breaks IPSec, as IPSec has no ports to translate and keep track of
The solution is to use a proprietary encapsulation of IPSec
Was this article helpful?