Scenario: Using network address translation for VPN

In this scenario, your company wants to exchange sensitive data with one of it's business partners by using VPN. To further protect the privacy of your company's network structure, your company will also use VPN NAT to hide the private IP address of the system it uses to host the applications to which your business partner has access.

Situation

Suppose you are the network administrator for a small manufacturing company in Minneapolis. One of your business partners, a parts supplier in Chicago, wants to starting doing more of their business with your company over the Internet. It is critical that your company have the specific parts and quantities at the exact time it needs them, so the supplier needs to be aware of your company's inventory status and production schedules. Currently you handle this interaction manually, but you find it time consuming, expensive and even inaccurate at times, so you are more than willing to investigate your options.

Given the confidentiality and time-sensitive nature of the information you exchange, you decide to create a VPN between your supplier's network and your company's network. To further protect the privacy of your company's network structure, you decide you will need to hide the private IP address of the system that hosts the applications to which the supplier has access.

You can use VPN's to not only create the connection definitions on the VPN gateway in your company's network, but also to provide the address translation you need to hide your local private addresses. Unlike conventional network address translation (NAT), which changes the IP addresses in the security associations (SAs) that VPN requires to function, VPN NAT performs address translation before the SA validation by assigning an address to the connection when the connection starts.

Objectives

The objectives of this scenario are to:

allow all clients in the supplier network to access a single host system in the manufacturer's network over a gateway-to-gateway VPN connection.
hide the private IP address of the host system in the manufacturer's network, by translating it to a public IP address by using network address translation for VPN (VPN NAT).

Details

The following diagram illustrates the network characteristics of both the supplier network and the manufacturing network:

VPN gateway-A is configured to always initiate connections to VPN gateway-B.
VPN gateway-A defines the destination endpoint for the connection as 204.146.18.252 (the public address assigned to System-C).
System-C has a private IP address in the manufacturer's network of 10.6.100.1.
A public address of 204.146.18.252 has been defined in the local service pool on VPN gateway-B for System-C's private address, 10.6.100.1.
VPN gateway-B translates System-C's public address to its private address, 10.6.100.1, for inbound datagrams. VPN gateway-B translates returning, outbound, datagrams from 10.6.100.1 back to System-C's public address, 204.146.18.252. As far as clients in the supplier network are concerned, System-C has an IP address of 204.146.18.252. They will never be aware that address translation has occurred.

Configuration tasks

You must complete each of the following tasks to configure the connection described in this scenario:

Configure a basic gateway-to-gateway VPN between VPN gateway-A and VPN gateway-B.
Define a local service pool on VPN gateway-B to hide System-C's private address behind the public identifier, 204.146.18.252.
Configure VPN gateway-B to translate local addresses using local service pool addresses.

Parent topic:

VPN scenarios

Related concepts
Network address translation for VPN