Using NAT and VPN

Applies To: Windows Server 2008

A common deployment option is to use network address translation (NAT) on one or both sides of a connection that links offices in different geographical locations. The Routing and Remote Access service in Windows Server® 2008 provides two types of virtual private network (VPN) site-to-site connections. The following table describes the circumstances in which you can use a NAT in conjunction with a VPN connection.

 

Type of VPN Site-to-Site Connection Can You Use NAT? Description

PPTP VPN

Yes

In most cases, you can locate PPTP–based calling routers behind a NAT-enabled router (or configure one computer as both the calling router and the NAT-enabled router) in order to allow computers with private addresses in a small office or home office network to share a single connection to the Internet. With a VPN connection, the site-to-site connection from the small office to the main office is “tunneled” through the Internet. NAT in the Routing and Remote Access service in Windows Server 2008 includes a NAT editor that can accurately translate PPTP-tunneled data.

L2TP/IPsec VPN

Yes, but only if you use the IPsec NAT Traversal (NAT-T) feature

With Windows Server 2008 –based calling or answering routers, you can use the Internet Protocol security (IPsec) feature called NAT traversal (NAT-T) to create L2TP/IPsec connections across NATs. Using NAT-T requires running Windows Server 2008 on both the calling and answering routers (or appropriately configured Cisco routers). With NAT-T, computers with private addresses that are hidden behind a NAT can use IPsec to connect to a remote site if these computers have the NAT-T update installed (for computers running Windows Vista® or Windows XP Professional Service Pack 1). No NAT editor exists for L2TP/IPsec, so the only way to use NAT is by implementing IPsec NAT-T.

SSTP

Yes

SSTP-based VPN clients and VPN servers can be located behind a NAT-enabled router.

Community Additions

ADD
Show: