Using NAT and VPN

Applies To: Windows 7, Windows Server 2008 R2

A common deployment option is to use network address translation (NAT) on one or both sides of a connection that links offices in different geographical locations. RRAS provides two types of virtual private network (VPN) site-to-site connections. The following table describes the circumstances in which you can use a NAT in conjunction with a VPN connection.

Type of VPN Site-to-Site Connection Can You Use NAT? Description



In most cases, you can locate Point-to-Point Tunneling Protocol (PPTP)–based calling routers behind a NAT-enabled router (or configure one computer as both the calling router and the NAT-enabled router) in order to allow computers with private addresses in a small office or home office network to share a single connection to the Internet. With a VPN connection, the site-to-site connection from the small office to the main office is tunneled through the Internet. NAT in RRAS includes a NAT editor that can accurately translate PPTP-tunneled data.


Yes, but only if you use the IPsec NAT-T feature

You can use the Internet Protocol security (IPsec) feature called NAT Traversal (NAT-T) to create Layer Two Tunneling Protocol (L2TP)/IPsec connections across NATs. Using NAT-T requires running Windows Server 2008 or Windows Server 2008 R2 on both the calling and answering routers, or a third-party router that supports NAT-T. With NAT-T, computers with private addresses behind a NAT can use IPsec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows XP with Service Pack 1 or later versions of Windows). No NAT editor exists for L2TP/IPsec, so the only way to use NAT is by implementing IPsec NAT-T.



Secure Socket Tunneling Protocol (SSTP)-based VPN clients and VPN servers can be located behind a NAT-enabled router.



Internet Key Exchange version 2 (IKEv2)-based VPN clients and VPN servers can be located behind a NAT-enabled router.

Additional references