VPN tunnel and NAT rules


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

VPN tunnel and NAT rules

I have to create a VPN tunnel between two businesses.  The main objective is that company A needs to provide access to the following subnets to company B:


I've got all the tunnel info set up, and there is just a public IP address on each firewall as the peer IP.


For company A where the subnets are located, I'm struggling with the NAT rule needed to allow access to this range of IPs.


Would it look something like this:


source zone: vpn_untrust

destination zone: inside_trust

destination interface: any

source address: public IP of company B

destination address: public IP of company A

destination translation: subnets listed above










L7 Applicator

hi @buck1




but first: is NAT at all needed? (is there an IP conflict on both sites?)

if there is no IP conflict then no nat is needed, just routing


if both sites have identical IP subnets, you will need to set up NAT, depending on which direction you need to communicate to

if site A only needs to connect to site B, you could replace these subnets at siteA with 2 different ones

eg. + while doing source nat to



source zone: trust

destination zone: vpn

source address: lan subnet

destination address: +

source translation:


route these (0 + 16) subnets into the tunnel

and set the tunnel ip to




source zone: vpn

destination zone: vpn

source address:

destination address:

destination translation:



source zone: vpn

destination zone: vpn

source address:

destination address:

destination translation:


and set the tunnel interface to


Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!