Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN and NAT: Sequence of encryption and NAT

I wish to know the sequence in which encryption/decryption and NAT happens.

I have this customer with one big subnet ( containing PCs and servers.

Now I need to encrypt the data on LAN. VPN 3000 was proposed. Now I need to move servers to another subnet (

Could I use NAT to translate old server addresses to new addresses in such that clients never notice the change of server addresses?

1. Where will be NAT applied? After packet come out of tunnel and before enter into tunnel?

2. How will NAT work here? Will VPN 3000 respond to ARP for old server addresses (

  • Other Security Subjects
New Member

Re: VPN and NAT: Sequence of encryption and NAT

You will have to NAT the traffic before it hits the concentrator. This gets a little tricky. You wont be able to NAT this on the concentrator so you'll have to do that on a router or a pix. So you got to question that as well since the pix and router could do both the nat and the ipsec tunnel. Is the concentrator needed is what i'd be asking. To answer your questions directly:

1. Not on the concentrator, so it will have to be done before it goes through the tunnel on another device.

2. NAT happens before encryption, whether its on the vpn device or downstream. No it wont arp for the old address.

Kurtis Durrett

This widget could not be displayed.