In a production environment, your gateway is configured to apply a Hide NAT for all internal
traffic destined to the Internet. However, you are setting up a VPN tunnel with a remote gateway,
and you are concerned about the encryption domain that you need to define on the remote
gateway. Does the remote gateway need to include your production gateway’s external IP in its
encryption domain?
A.
Yes – The gateway will apply the Hide NAT for this VPN traffic.
B.
Yes – all packets destined to go through the VPN tunnel will have the payload encapsulated in
an ESP packet and after decryption at the remote site, the packet will contain the source IP of the
Gateway because of Hide NAT.
C.
No – all packets destined to go through the VPN tunnel will have the payload encapsulated in
an ESP packet and after decryption at the remote site, will have the same internal source and
destination IP addresses.
D.
No – all packets destined through a VPN will leave with original source and destination
packets without translation.
Explanation:
Right answer would be B. If “Disable NAT inside VPN” option is not checked under Community Properties, and there is no “no-NAT” rule on the NAT policy, the traffic will be NATed before being encripted, therefore the other peer will see the GW IP address due to Hide NAT.