Knowledge Base

Reset Search



How to configure 1:1 NAT over IPSec VPN (VTI)

« Go Back


TitleHow to configure 1:1 NAT over IPSec VPN (VTI)
  • Configure 1:1 NAT over IPSec VTI VPN
  • How to get one or more static IP addresses to be available across a Virtual Tunnel Interface using IPsec.
  • IPSec VPN (VTI)
  • NCOS 6.5.2
  1. Log into the router's NCOS page.
  2. Configure IPSec VPN according to the VTI Knowledge Base Article 
  3. Configure 1:1 NAT rule
    1. Navigate to Security > Zone Firewall > NAT
    2. Under the "NAT" section, click "Add"
  4. Configure the NAT settings:
    1. Bound Interfaces/Zone - select the previously-created VTI zone from the drop-down menu
    2. Original Destination IP - IP address of the VTI interface
    3. NAT To Network: IP address of the internal host 
    4. Check the box for "Add Proxy ARP Routes."
    5. Click "Save"
Additional Information
  • For general information about configuring 1:1 NAT, see our Knowledge Base article - NCOS: 1 to 1 NAT
  • Proxy ARP is not configurable on the VTI interface. 1:1 NAT can only be done using the IP address on the VTI interface
  • We also can set this with static  routes  instated of Proxy ARP 
    1. Set a rule for the remote LAN (IE to the gateway on the Tunnel (IE
    2. Set a rule for the traffic all the on the VTI tunnel as well ( IE to the Tunnel interface (IE This should be the same 
    3. Repeat on the other side as well 



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255