Source NAT and VPN: using the "exclude" option
When a packet is matched against the source NAT (including masquerade NAT) filter criteria, the source address of the packet is modified before it is forwarded to its destination. This means that source NAT rules are applied before the VPN process compares the packets against the VPN configuration. If the source network that is configured for source NAT is also configured to use a site-to-site VPN connection using the same externally facing interface, the packets are not recognized by the VPN process because the source address has been changed. Consequently, they are not placed into the VPN tunnel for transport.
To account for this behavior, packets destined for a VPN tunnel must be excluded from having NAT applied. You can do this by using an exclusion rule, as shown in the following figure.
To configure NAT in this way, perform the following steps in configuration mode.
Create SNAT rule 10.
Apply this rule to packets coming from any host on the 192.168.0.0/24 network, going to the 192.168.50.0/24 network, and egressing through the dp0p1p1 interface.
Exclude packets from NAT translation that match the filter criteria in this rule.
Create SNAT rule 20.
Apply this rule to packets coming from any host on the 192.168.0.0/24 network and egressing through the dp0p1p1 interface.
Use the primary IP address of the outbound interface as the translation address.
Commit the change.
Show the configuration.