Every device connected to the Internet, be it the computer, the smartphone, the PWK or, in the future, the refrigerator, needs its own IP address to be identifiable by other devices and to enable the exchange of information. Data transmission already takes place when, for example, a website is called up or a phone call is made via VOIP.
The scarcity of IP addresses in the IPv4 address space causes problems. This is remedied by the Internet protocol IPv6, in which significantly more addresses are available. And yet the development of IPv6 is not yet complete. One reason, among others, is the lack of compatibility between IPv6 and IPv4; devices must necessarily use both protocols.
The address scarcity of IPv4 is compensated by the clear demarcation of private and public address spaces. The connection between the public and private address ranges is the router. This is where Network Address Translation, or NAT for short, comes into play.
What is NAT?
Private IPs are not routable, so data packets sent by a computer (client) on the LAN to a server on the network must be assigned a public IP by the router. Network Address Translation (NAT) allows destination or source IP addresses to be bundled into an IP data packet during routing and replaced by another, public address. Private IP addresses can communicate with the Internet through NAT. Camouflaging behind a public IP address is also beneficial for the security of Internet communications.
The security provided by Network Address Translation is comparable to the protection provided by a makeshift firewall. The systems connected with NAT are not accessible from the Internet. A connection can only be established from the end device. However, Network Address Translation cannot replace a firewall or packet filter.
What is NAT Traversal?
Network Address Translation Traversal (NAT-T) is a technique for establishing and maintaining Internet Protocol connections through gateways that implement Network Address Translation (NAT). Specifically, IPsec with NAT traversal allows an IPsec connection to be established via a NAT router. The method captures whether NAT is used in connection establishment and whether the sites support NAT traversal. In this case NAT-Traversal packages the ESP traffic into UDP packets and provides them with a UDP port that is translatable via NAT. Usually the UDP port 4500 is used. You are on the safe side with the ports UDP 500, UDP 4500 and TCP 10,000 and if the IP protocol ESP is open between the VPN partners.
NAT Traversal and VPN Passthrough (NAT vs. IPsec) strive to solve the same problem. However, IPsec passthrough only works within a manageable scope. Compared to NAT-T, the passthrough method must be implemented in the NAT routers.
Can I use a VPN with my NAT router?
Basically, anyone can establish a VPN tunnel via a NAT device. You just have to configure the WLAN router accordingly. The current Windows operating system enables native network address translation for a virtual network. Mac OS also requires a special configuration.
IPsec client
In the VPN client, activate the Enable Transparent Tunneling option in the settings. Select either IPSec over UDP (NAT/PAT) or, if this is not possible, IPSec over TCP with TCP port 10,000.
Attention: Behind a NAT router, usually only one user can establish VPN tunneling at a time, since the local address is executed via NAT to the IP address of the Internet access. Two VPN users can run with one router using IPSec over TCP with TCP port 10000, as long as there are two different logins.
AnyConnect Client
The AnyConnect client uses the TCP and UDP protocols, both port 443 for the VPN connection. Both TCP and UDP can be processed by NAT routers.
What is the difference between route and NAT mode in VPN configuration?
When configuring for a site to site VPN (LAN to LAN) between two sites, there is a choice between Route or NAT modes.
Route Mode vs NAT Mode
The difference between route mode and NAT mode lies in the access options: In route mode, the clients of both endpoints are able to reach each other. With the dial-in router as a remote gateway, both computers can access the Internet in this case.
This is not possible in NAT mode: only clients on the dial-out side can access the network on the dial-in side. NAT mode prevents another client from accessing its own network. It is used when connecting to a VPN service.