VPN site to site IPSEC con IP dedicato NAT Phase2

edited May 2021 in Security

Goodmorning everyone,

I need help, I'm setting up a site to site VPN, for a connection between my company and another company not managed by me.

In Phase 2 they reserved me a dedicated NAT IP my network is a Can you explain to me how I can set the parameters to perform this NAT in a Site to Site IPSEC VPN?

Thank you

Buongiorno a tutti,
ho bisogno di un aiuto, sto configurando una VPN site to site, per un collegamento tra una mia azienda ed un'altra azienda non gestita da me.
In Phase 2 mi hanno riservato un IP di NAT dedicato la mia rete è una Mi potete spiegare come posso impostare i parametri per eseguire questo NAT in una VPN Site to Site IPSEC?

Best Answers

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034
    50 Answers 500 Comments Friend Collector Fourth Anniversary
     Zyxel Employee
    Answer ✓

    Customer network IP is, and the NAT(Fake) IP
    the subnet mask on customer network and NAT IP need to be the same .(since it’s One IP mapping to one IP)
    Therefore, the NAT IP: to modify to slash 24)
    As your scenario, you can reference this thread


  • Ian31
    Ian31 Posts: 165
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Answer ✓
    Hi @Mattia_Tecnosoft_Srl,
    Here the configuration steps,
    1. Create address objects
    (1)Create address object of your local network
    ex. object name: LOCAL_NETWORK, type: SUBNET, network:, netmask:
    (2)Create address object of remote network
    ex. object name: REMOTE_NETWORK, type: SUBNET, network:, netmask:
    (3)Create address object of VPN traffic source NAT IP
    ex. object name: LOCAL_SNAT_IP, type: HOST, IP address:
    2.Setup IPSec phase 2
    Assume you know hot to setup a VPN connection rule (phase2) on USG20-VPN.
    Here just highlight the key part,
    (1)In policy select LOCAL_SNAT_IP as local policy, and REMOTE_NETWORK as remote policy.

    (2)In inbound/outbound traffic NAT, 
    Under Outbound Traffic, enable Source NAT. Setup like this, 

    3. Add a policy route to enforce traffic from to go into the VPN tunnel

All Replies

  • mMontana
    mMontana Posts: 1,249
    50 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member
    Which device are you using?
    AFAIK the DNAT/SNAT setting is into the tunnel section, into advanced options.
  • Hello Montana, the firewall is a USG20 VPN. The company that manages the network in which I should connect gave me these parameters: As for the encryption domain, the class indicates the network of points of sale that can be reached (aggregates all the remote / 24) .The IP instead has been dedicated to you to nate your traffic in phase2

    My client's network is

    Can you help me understand where I need to configure this thing?


Security Highlight