Using NAT and VPN
Applies To: Windows Server 2008
A common deployment option is to use network address translation (NAT) on one or both sides of a connection that links offices in different geographical locations. The Routing and Remote Access service in Windows Server® 2008 provides two types of virtual private network (VPN) site-to-site connections. The following table describes the circumstances in which you can use a NAT in conjunction with a VPN connection.
| Type of VPN Site-to-Site Connection | Can You Use NAT? | Description |
|---|---|---|
PPTP VPN |
Yes |
In most cases, you can locate PPTP–based calling routers behind a NAT-enabled router (or configure one computer as both the calling router and the NAT-enabled router) in order to allow computers with private addresses in a small office or home office network to share a single connection to the Internet. With a VPN connection, the site-to-site connection from the small office to the main office is “tunneled” through the Internet. NAT in the Routing and Remote Access service in Windows Server 2008 includes a NAT editor that can accurately translate PPTP-tunneled data. |
L2TP/IPsec VPN |
Yes, but only if you use the IPsec NAT Traversal (NAT-T) feature |
With Windows Server 2008 –based calling or answering routers, you can use the Internet Protocol security (IPsec) feature called NAT traversal (NAT-T) to create L2TP/IPsec connections across NATs. Using NAT-T requires running Windows Server 2008 on both the calling and answering routers (or appropriately configured Cisco routers). With NAT-T, computers with private addresses that are hidden behind a NAT can use IPsec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows Vista® or Windows XP Professional Service Pack 1). No NAT editor exists for L2TP/IPsec, so the only way to use NAT is by implementing IPsec NAT-T. |
SSTP |
Yes |
SSTP-based VPN clients and VPN servers can be located behind a NAT-enabled router. |