13 Working with VPNs146 Nokia IP40 User GuideTo access a resource that is protected by a VPN in NAT mode, you must contact the hiding(Internet) address of the VPN gateway. Your request is then forwarded to the correct computer inthe protected network according to the defined security rules.To access a resource that is protected by a VPN in No-NAT mode, you must contact the IPaddress of the final computer in the destination network that you want to reach.NoteYou can establish VPN tunnels between a combination of NAT and No-NAT devices. Thispossibility is not discussed in this guide.No-NAT ModeUse no-NAT mode in site-to-site VPNs, where bi-directional initiation of traffic within a VPN isrequired between hosts with routable IP addresses.NoteYou can only use No-NAT mode with IP40 Satellite X.The Figure below shows a site-to-site VPN in No-NAT mode. Both VPN peers are consideredsite-to-site VPN gateways, and traffic is directly established from the source host to thedestination host. In this example, hosts on either network can initiate traffic to hosts on the peernetwork. Both Network 1 and Network 2 are using routable IP addresses.Figure 7 No-NAT ModeNAT ModeNAT mode should be used in site-to-site VPNs, where bi-directional initiation of traffic betweennetworks using private IP addresses is required.The Figure below shows two instances of a site-to-site VPN gateways in NAT mode.Routable IPNetwork-1Initiate VPN TunnelsIP40 SatelliteFW-1/ VPN-1Routable IPNetwork-2Internet00408