Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Nat Over vpn

Jez222Jez222 Newbie ✭
edited February 2021 in Mid Range Firewalls


Total newbie here, I am trying to setup a site to site vpn with a 3rd party but I need to NAT my side as our LAN network is already in use by another company connected to the 3rd party.

We have successfully established an ipsec connection however there is no traffic as I am stuck on how to setup the NAT.

I tried following the tech help on this subject but that didnt help me

Can anyone help? I have an NSA 2600

Category: Mid Range Firewalls

Best Answer

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    Create an address object for the subnet you are to use for the VPN NAT(172.26.12.x). In the VPN tunnel properties you enable 'Apply NAT policies', set your local translated as the address object for 172.26.12.x, and remote translated as original.

    You do not need to manually create a NAT policy when setting the NAT in the VPN tunnel properties.

    Hope that helps.


  • Options


    Welcome to the SonicWall community.

    In your case, I think the NAT is only required on your end and not on the remote side. If the VPN is already up, it means the networks are matching.

    I think it would be best to check if you see any traffic on the associated NAT policy and perform packet captures.


    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Options
    Jez222Jez222 Newbie ✭

    Hi Shipra,

    Many thanks, you are correct, the NAT is only required at my end because my current network ( is in use by another company who use /16

    We have agreed that my side can be natted to but here in lies the issue for me.

    I am not sure how to setup the NAT on my NSA2600

    Do I create an address group with my current and and translated current?

    If so how do i apply that to the VPN policy?

    In the Policy window under:

    General - Everything agreed with 3rd party and set correctly

    Network - Local Network is x0 Subnet - Remote Networks 3rd party network set correctly (

    Proposals - Everything agreed with 3rd party and set correctly

    Advanced - 2 things checked - Enable Keep alive and Apply NAT Policies

    Under NAT Policies

    Local Translated - Is this Address group ( or Address Object? (

    Remote Translated - Original

    Many thanks for your support

  • Options
    LiorLior Newbie ✭

    JEZ222  you should be using a Local Translated "Address Object" ( not the address group since you've already specified the network as X0 Subnet

  • Options
    Jez222Jez222 Newbie ✭

    Thanks Lior but to create the NAT do I create the group with local and translated network? Thats it?

  • Options
    Jez222Jez222 Newbie ✭
    edited February 2021

    Now there is an issue with traffic

    event="IPsec bad payload length"

    local_net=,remote_net=,, information="ipsec:bad_payload_len:1",

    reason="Received an IPsec packet with a payload length which is not a multiple of the ESP encryption algorithm block size. This could indicate a truncated packet."

    The other side I am trying to connect to found an issue....can anyone here advise please?

    Many thanks

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    Verify the Phase 1 and Phase 2 proposal configuration is correct on both sides of the tunnel.

    If the issue is on the other side, than it is their issue to figure out.

Sign In or Register to comment.