Access Server NAT and Routing Overview for VPN Traffic Management
Access Server supports both Network Address Translation and routing to manage VPN traffic.
π Overview
Access Server supports both NAT (Network Address Translation) and routing to manage VPN traffic, allowing you to control how traffic moves between VPN clients and resources in your private network. While NAT is the default method for handling VPN traffic, routing is useful for scenarios that require two-way traffic between the VPN clients and resources behind Access Server.
Network Address Translation (NAT) is the default method for routing VPN traffic in Access Server. Itβs a simple and efficient way to provide access to resources within the local network behind the Access Server, such as web servers or file servers.
How it works: When a VPN client sends a request, Access Server translates the source IP address of the packet to its own private IP address. It then forwards the packet to the destination system, making it appear as if the traffic is coming from within the local private subnet.
Benefits: No additional routing configuration is needed. The target system in the private network responds as if the traffic is local, simplifying the setup.
Limitations: NAT creates a one-way traffic flow. VPN clients can access resources in the private network, but they cannot be accessed directly from the private network. It's like a firewall in this way β providing access to resources, but not allowing inbound connections to the VPN clients.
Routing is ideal for scenarios where you need two-way communication between the VPN clients and the private network behind Access Server. Unlike NAT, routing does not involve translating IP addresses but forwards traffic directly to its destination.
How it works: VPN client traffic is sent through Access Server and forwarded as-is to the target network. The target network must know the VPN client subnet for this to work. This is typically done by adding a static route to the target network's default gateway or the target server.
Two-way communication: Routing enables traffic in both directions β from the VPN client subnet to the private network and vice versa. This allows for more seamless communication between the two networks.
Requirements: You need to configure static routes on both the Access Server and the target system to ensure traffic is properly routed between the networks.
Tip
We recommend you use routing for Access Server configurations involving the VOIP protocol. It typically doesn't work with NAT.