Can NAT and IPSec VPN Be Used Together?
Yes. When they are used together, the firewall is generally deployed at the network egress and performs NAT over intranet packets destined for the Internet. A packet carrying a private address is transmitted to the headquarters over an IPSec tunnel, and it is transmitted over the Internet with a public IP address added. When receiving the packet, the firewall decapsulates the packet and identifies its home branch based on the private IP header. When specifying an ACL in the nat outbound command, note that NAT is not required for traffic destined for the headquarters.