Network Address Translation (NAT) is designed to decrease a private network's hunger for scarce public IP addresses. A NAT device takes a packet’s originating private IP address, converts that address into the NAT device's public IP address (or to an otherwise defined public IP address), then sends the packet across the Internet to its destination. NAT devices use an internal table to keep track of converted addresses.

Because NAT manipulates the packet’s original IP header, it invalidates the authenticity of underlying Layer Two Tunneling Protocol over IP Security (L2TP/IPSec) packets. Until recently, using L2TP/IPSec was difficult or impossible when NAT was involved on either side of the connection. Recently, however, an Internet Engineering Task Force (IETF) group came up with a solution called NAT Transversal (NAT-T), which IETF Request for Comments (RFC) 3193 defines. NAT-T uses UDP port 4500 and is quickly being adopted by many organizations.

If you're going to use IPSec between NAT endpoints, make sure your VPN software and devices support NAT-T. Microsoft Internet Security and Acceleration (ISA) Server 2000 on Windows 2003 Server can function as a NAT-T VPN gateway. Because of incompatibility concerns, Microsoft pulled the Windows XP NAT-T update soon after releasing it but plans to rerelease the update at some point. XP and Windows 2000 Service Pack 3 (SP3) and XP clients can use Windows Update to download Microsoft’s new IPSec NAT-T client (see the Microsoft article "L2TP/IPSec NAT-T Update for Windows XP and Windows 2000" for more details).

If you run a NAT network and need to use an ISA Server VPN but can't use NAT-T (not all vendors support NAT-T), use PPTP instead of L2TP. PPTP works with ISA Server, NAT, and most clients and servers. For more information about VPNs that involve NAT or NAT-T, read Stefaan Pouseele's excellent two-part paper about ISA Server and NAT-T at http://www.isaserver.org/articles/ipsec_passthrough.html.