IPSec and NAT on same Tier-1

We have many VPN connections to several customers who host their services in our NSX-T 3.1 Environment.

Every customer has it's own T1 to avoid IP conflicts (So 2 different customs can have same IP-Networks "at home" as those T1 Environments dont hav to communicate with each other)

Now we run into a Problem:  One customer is running the Network inside our T1 Segment "at home" which he want to reach.

Solution: NAT.

Customer address NAT-IP trough tunnel. 
packet es decrypted and NATed to original IP:

See in Log-Inside:>

But unfortunately communication is not established.

Turned to VM-Support (SR 21260137409) and they told: "I checked about the configuration that you've described and I found that there is a limitation with the NAT and the VPN that they cannot be done on the same tier router. "

To run VPN on T0 is no solution as there will be conflicts.

Has anybody has experienced this problem and has a solution?

Best regards

Sascha Bremshey

NSX-T Newbee



Labels (3)
0 Kudos
1 Reply
Hot Shot
Hot Shot



Had the same problem. NSX is not designed to do it this way. They call it a limitation, which is fine.
It is probably most easy to let "at-home" change. 'Normally' at home is small 🙂 (I know, not always)
Or change the IP network on your side. 

p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved