No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FAQ-Are There Special Requirements If I Configure Both NAT and VPN Correctly on a NGFW

Publication Date:  2015-07-01 Views:  609 Downloads:  0

Issue Description

Are There Special Requirements If I Configure Both NAT and VPN Correctly on a NGFW?


If you configure both NAT and virtual private network (VPN) functions on a NGFW, you need to configure a NAT policy to prevent the NGFW from performing NAT on data flows that are to be encapsulated using the VPN. In the following example, Figure 11-2 shows the networking for NAT and an Internet Protocol Security (IPSec) VPN.

Figure 1-1 NAT and IPSec VPN

As shown in Figure 11-2, a NGFW connects networks A and B to the Internet. PCs on both networks communicate over an IPSec VPN tunnel.

After traffic from networks A and B arrives at NGFWs, the NGFWs use NAT to process data flows, except data flows to be transmitted over the IPSec VPN tunnel. NAT policies need to be configured to help the NGFW separate NAT traffic from IPSec VPN traffic. In the following example, Figure 11-3 shows the configuration on NGFW_A.

Figure 1-2 NAT policies

The NAT policy configuration on NGFW_B is similar to that on NGFW_A. The difference is that NGFW_B has the source and destination addresses specified in the NAT policy to those specified on NGFW_A.