PAT traffic across a VPN so it appears to come from one source IP address?

Posted on 2011-04-20
Last Modified: 2012-05-11
Our company has a client company that wants us to set up a VPN directly between our offices so we can enter orders directly into their system.
I need to set up a Lan2Lan IPSec Tunnel/VPN and then "PAT" the traffic towards their office ("PAT" is their term) so it appears to them to come from only one IP internal ip address.

I haven't got a clue on how to do this.

I have a choice of 2 routers to do this through -
We currently use an IPCop vsn 1.14 linux-based router.
I have on hand a Cisco RVS4000 router that can do VPN
our internal segment is 192.168.6.x (and of course, they say there is already
a VPN that uses that subnet, so I have to figure out how to work around that also...

As you can guess, I don't really know enough yet to ask this intelligently..

Thanks for the help and the education!
Question by:pootwaddle
    LVL 39

    Expert Comment

    First you and your client have to agree on a pair network address ranges that are acceptable to both organisations and how uses what addresses for what purpose. Use these addresses on both sides of the tunnel.

    Then apply (Source) NAT to all packets going to the client according to agreed addresses. You use the agreed address as destination from your servers.
    That can also be done on their side. Portforward the right addresses to internal etc.
    ie. regular NAT.

    The world desparately needs IPv6 to get back into a flat network landscape again.

    PAT is arguably the better name for NAT.
    NAT "just changes" the network address and should leave ports alone, but to work NAT sometimes needs to modify port addresses to resolve conflicts.
    ==> port & address translation.

    Author Comment

    Thank you, noci.

    We are working on the address ranges right now - my current subnet of 192.168.6.x is already "taken" on their VPN

    So, problem #1 is how to set up the VPN without my having to renumber my entire office that uses 192.168.6.x.

    And then, I don't understand how to accomplish your second paragraph - Then apply (Source) NAT to all packets...
    So far, I come from a simple network setup - port forward traffic on port 80 to my web server, port 21 to the ftp server,
    etc...  And my routers are small-business oriented as well - nothing like a high-end or even medium-end Cisco router...

    Thank you - your comment is a great start.  I certainly don't want to sound ungrateful!
    LVL 39

    Accepted Solution

    Source nat is something that all home appliances do with outgoing traffic... How many 192.168.0.x/24 or 192.168.1.x/24 networks do you guess there exist?...

    You need the VPN router either be able to nat on the tunnel interface OR you need a separate router.

    192.168.6.x/24 -- [Router1] --- intermediate network -+-- [router2] ---- Internet
                                                                                          |-- [router3] ---- VPN... [router-...] -- customer net

    The intermediate network should use something that isn't used anywhere else. (
    Some routers can handle NAT on tunnels, in that case you don't need the

    For the internet router1 uses the default route pointing to router2
    if you nat that traffic you're done, if you don't nat that traffic (preferred) then you need to set a route to the 192.168.6.x/24 network on router2

    for customer-net use a route in router1 pointing to router3 and nat those packets.
    Now you can have your Router3 have a plain and simple VPN tunnel with the intermediate network range as the address range on your site.

    You might need to setup NAT/PAT from router1 - to an internal server if needed.

    Author Comment

    Thank you, the light is coming on.  Yes, I knew that NAT is done by my routers.  I just have
    never seen a setup to do NAT across a VPN, and now that I see your diagram I see how
    to do it with a second router, or at least after some studying I believe I will see it.

    So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
    LVL 39

    Expert Comment


    >> So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
    That depends on your setup. That can be done (easier on router1 to implement) but might conflict various protocols.
    So preferably don't double nat between router1 & 2.

    Author Closing Comment

    Thank you, noci, for your patience with a beginner in this subject!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now