PAT traffic across a VPN so it appears to come from one source IP address?

Our company has a client company that wants us to set up a VPN directly between our offices so we can enter orders directly into their system.
I need to set up a Lan2Lan IPSec Tunnel/VPN and then "PAT" the traffic towards their office ("PAT" is their term) so it appears to them to come from only one IP internal ip address.

I haven't got a clue on how to do this.

I have a choice of 2 routers to do this through -
We currently use an IPCop vsn 1.14 linux-based router.
I have on hand a Cisco RVS4000 router that can do VPN
our internal segment is 192.168.6.x (and of course, they say there is already
a VPN that uses that subnet, so I have to figure out how to work around that also...

As you can guess, I don't really know enough yet to ask this intelligently..

Thanks for the help and the education!
Who is Participating?
nociSoftware EngineerCommented:
Source nat is something that all home appliances do with outgoing traffic... How many 192.168.0.x/24 or 192.168.1.x/24 networks do you guess there exist?...

You need the VPN router either be able to nat on the tunnel interface OR you need a separate router.

192.168.6.x/24 -- [Router1] --- intermediate network -+-- [router2] ---- Internet
                                                                                      |-- [router3] ---- VPN... [router-...] -- customer net

The intermediate network should use something that isn't used anywhere else. (
Some routers can handle NAT on tunnels, in that case you don't need the

For the internet router1 uses the default route pointing to router2
if you nat that traffic you're done, if you don't nat that traffic (preferred) then you need to set a route to the 192.168.6.x/24 network on router2

for customer-net use a route in router1 pointing to router3 and nat those packets.
Now you can have your Router3 have a plain and simple VPN tunnel with the intermediate network range as the address range on your site.

You might need to setup NAT/PAT from router1 - to an internal server if needed.
nociSoftware EngineerCommented:
First you and your client have to agree on a pair network address ranges that are acceptable to both organisations and how uses what addresses for what purpose. Use these addresses on both sides of the tunnel.

Then apply (Source) NAT to all packets going to the client according to agreed addresses. You use the agreed address as destination from your servers.
That can also be done on their side. Portforward the right addresses to internal etc.
ie. regular NAT.

The world desparately needs IPv6 to get back into a flat network landscape again.

PAT is arguably the better name for NAT.
NAT "just changes" the network address and should leave ports alone, but to work NAT sometimes needs to modify port addresses to resolve conflicts.
==> port & address translation.
pootwaddleAuthor Commented:
Thank you, noci.

We are working on the address ranges right now - my current subnet of 192.168.6.x is already "taken" on their VPN

So, problem #1 is how to set up the VPN without my having to renumber my entire office that uses 192.168.6.x.

And then, I don't understand how to accomplish your second paragraph - Then apply (Source) NAT to all packets...
So far, I come from a simple network setup - port forward traffic on port 80 to my web server, port 21 to the ftp server,
etc...  And my routers are small-business oriented as well - nothing like a high-end or even medium-end Cisco router...

Thank you - your comment is a great start.  I certainly don't want to sound ungrateful!
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

pootwaddleAuthor Commented:
Thank you, the light is coming on.  Yes, I knew that NAT is done by my routers.  I just have
never seen a setup to do NAT across a VPN, and now that I see your diagram I see how
to do it with a second router, or at least after some studying I believe I will see it.

So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
nociSoftware EngineerCommented:

>> So, would the traffic between router 1 and router 2 be double-NATted when it hits the internet?
That depends on your setup. That can be done (easier on router1 to implement) but might conflict various protocols.
So preferably don't double nat between router1 & 2.
pootwaddleAuthor Commented:
Thank you, noci, for your patience with a beginner in this subject!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.