[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


PAT traffic across a VPN so it appears to come from one source IP address?

Posted on 2011-04-20
Medium Priority
Last Modified: 2012-05-11
Our company has a client company that wants us to set up a VPN directly between our offices so we can enter orders directly into their system.
I need to set up a Lan2Lan IPSec Tunnel/VPN and then "PAT" the traffic towards their office ("PAT" is their term) so it appears to them to come from only one IP internal ip address.

I haven't got a clue on how to do this.

I have a choice of 2 routers to do this through -
We currently use an IPCop vsn 1.14 linux-based router.
I have on hand a Cisco RVS4000 router that can do VPN
our internal segment is 192.168.6.x (and of course, they say there is already
a VPN that uses that subnet, so I have to figure out how to work around that also...

As you can guess, I don't really know enough yet to ask this intelligently..

Thanks for the help and the education!
Question by:pootwaddle
  • 3
  • 3
LVL 41

Expert Comment

ID: 35440400
First you and your client have to agree on a pair network address ranges that are acceptable to both organisations and how uses what addresses for what purpose. Use these addresses on both sides of the tunnel.

Then apply (Source) NAT to all packets going to the client according to agreed addresses. You use the agreed address as destination from your servers.
That can also be done on their side. Portforward the right addresses to internal etc.
ie. regular NAT.

The world desparately needs IPv6 to get back into a flat network landscape again.

PAT is arguably the better name for NAT.
NAT "just changes" the network address and should leave ports alone, but to work NAT sometimes needs to modify port addresses to resolve conflicts.
==> port & address translation.

Author Comment

ID: 35440492
Thank you, noci.

We are working on the address ranges right now - my current subnet of 192.168.6.x is already "taken" on their VPN

So, problem #1 is how to set up the VPN without my having to renumber my entire office that uses 192.168.6.x.

And then, I don't understand how to accomplish your second paragraph - Then apply (Source) NAT to all packets...
So far, I come from a simple network setup - port forward traffic on port 80 to my web server, port 21 to the ftp server,
etc...  And my routers are small-business oriented as well - nothing like a high-end or even medium-end Cisco router...

Thank you - your comment is a great start.  I certainly don't want to sound ungrateful!
LVL 41

Accepted Solution

noci earned 2000 total points
ID: 35440704
Source nat is something that all home appliances do with outgoing traffic... How many 192.168.0.x/24 or 192.168.1.x/24 networks do you guess there exist?...

You need the VPN router either be able to nat on the tunnel interface OR you need a separate router.

192.168.6.x/24 -- [Router1] --- intermediate network -+-- [router2] ---- Internet
                                                                                      |-- [router3] ---- VPN... [router-...] -- customer net

The intermediate network should use something that isn't used anywhere else. (
Some routers can handle NAT on tunnels, in that case you don't need the

For the internet router1 uses the default route pointing to router2
if you nat that traffic you're done, if you don't nat that traffic (preferred) then you need to set a route to the 192.168.6.x/24 network on router2

for customer-net use a route in router1 pointing to router3 and nat those packets.
Now you can have your Router3 have a plain and simple VPN tunnel with the intermediate network range as the address range on your site.

You might need to setup NAT/PAT from router1 - to an internal server if needed.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

ID: 35440762
Thank you, the light is coming on.  Yes, I knew that NAT is done by my routers.  I just have
never seen a setup to do NAT across a VPN, and now that I see your diagram I see how
to do it with a second router, or at least after some studying I believe I will see it.

So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
LVL 41

Expert Comment

ID: 35440850

>> So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
That depends on your setup. That can be done (easier on router1 to implement) but might conflict various protocols.
So preferably don't double nat between router1 & 2.

Author Closing Comment

ID: 35440883
Thank you, noci, for your patience with a beginner in this subject!!

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question