10-26-2024 04:24 AM
Hi All,
I need to create a S2S Tunnel to a customer. We need to reach 1 Server on their side (e.g. 192.168.100.1). The connection is needed from multiple Hosts from 2 different Subents on our Side (10.0.112.0/21 and 172.18.2.0/24). The customer does not want to allow both subnets instead they want to allow only 1 IP.
Now my question is: Is it possible to create a NAT Rule to do source NAT (Source Zone LAN, Source Adresses 10.0.150.0/24 and 172.18.2.0/24 --> Destination Zone VPN, Destination Address 192.168.100.1 --> Source Translation Dynamic IP and Port with IP e.g. 172.16.1.1. With that setup the customer only needs to allow the IP 172.16.1.1 inside the tunnel.
In my understanding this should work since it's the same sceanario as when multiple Hosts are going to the Internet with the same public IP, corect?
Thank you all!
03-03-2026 01:19 AM
Yes — you absolutely can SNAT multiple internal subnets to a single IP inside the tunnel so the customer only allows one source IP.
It works exactly like Internet PAT logic, but inside the IPsec tunnel.
Additionally, you may create two separate NAT rules and perform static one-to-one NAT instead of dynamic IP and port if preferred.
Notes:
• The translated IP address must be included in the Phase 2 proxy IDs (local encryption domain).
• The peer must allow and route the translated IP inside the tunnel.
• The translated IP does not need to be an interface IP, but using a loopback or dedicated NAT IP range is considered best practice for design clarity
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
