Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address


Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as

This is the IP subnet that is hosted by the internet router/firewall. is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.


Site 1 (Home)                                                   Site 2 (Business)

Local GW:                                             Local GW:
Remote GW:                                      Remote GW:
Internal:                                Internal:
Remote:                                Remote:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s