Are There Special Requirements If I Configure Both NAT and VPN Correctly on a NGFW?
If you configure both NAT and virtual private network (VPN) functions on a NGFW, you need to configure a NAT policy to prevent the NGFW from performing NAT on data flows that are to be encapsulated using the VPN. In the following example, Figure 11-2 shows the networking for NAT and an Internet Protocol Security (IPSec) VPN.
NAT and IPSec VPN
As shown in Figure 11-2, a NGFW connects networks A and B to the Internet. PCs on both networks communicate over an IPSec VPN tunnel.
After traffic from networks A and B arrives at NGFWs, the NGFWs use NAT to process data flows, except data flows to be transmitted over the IPSec VPN tunnel. NAT policies need to be configured to help the NGFW separate NAT traffic from IPSec VPN traffic. In the following example, Figure 11-3 shows the configuration on NGFW_A.
The NAT policy configuration on NGFW_B is similar to that on NGFW_A. The difference is that NGFW_B has the source and destination addresses specified in the NAT policy to those specified on NGFW_A.