Site-to-Site VPN with NAT on Zyxel USG FLEX H - Configuration Guide

Created February 11, 2026 13:05 - Updated May 15, 2026 13:50

Serhii Boiarynov

A Site-to-Site VPN creates a secure and encrypted connection between two networks over the Internet. It is used to connect branch offices, provide secure access to resources, and manage traffic in a central way. However, in some cases, normal routing is not enough. The internal IP addresses of one network may overlap with the addresses of another network. Also, security policies on the remote side may not allow the use of internal IP addresses directly. In these situations, you need to use NAT on the Zyxel device to make the traffic pass correctly through the VPN tunnel.

When to Use Different NAT Types in VPN

Depending on the scenario, different SNAT methods can be used in a Site-to-Site VPN:

SNAT to a single IP – used when all traffic must appear from one source IP address to the remote site.
1:1 NAT – commonly used in site-to-site VPNs to resolve overlapping networks, avoid renumbering, hide internal addressing, and enable controlled connectivity between organizations.

Note: Mapping a full subnet to another subnet is also considered a 1:1 NAT scenario, not a separate SNAT type.

Why NAT Is Needed in a Site-to-Site VPN

If both sides use the same or overlapping subnets (for example, 192.168.1.0/24), routing will not work correctly. NAT changes the source IP address to a different subnet and removes the conflict.
If the partner network only accepts traffic from specific IP addresses, NAT can hide the internal addresses and replace them with an allowed IP range.
If it is not possible to add correct routes, or if one side uses a dynamic IP address, NAT helps send traffic correctly through the VPN tunnel.
1:1 NAT allows traffic to use a single source IP address. This makes administration and monitoring easier.

In this article, we will look at one of the most common 1:1 NAT use cases. We will explain how to configure a Site-to-Site VPN with 1:1 NAT on Zyxel USG FLEX H when both sites use the same subnet.

Scenario: Overlapping Subnets

Site A (Branch)

LAN: 192.168.1.0/24

Site B (Head Office)

LAN: 192.168.1.0/24

To avoid conflict, Site A (HQ) will translate its LAN to 10.10.10.0/24 (used only inside the VPN).

Both sites use the same subnet.

Without 1:1 NAT, devices cannot distinguish between the local and remote 192.168.1.0/24 networks. Traffic will not be routed correctly.

Site A - Configure Site-to-Site VPN with NAT on Zyxel USG FLEX H

First, configure a basic IPSec VPN between the two devices.

Go to: Web GUI → VPN → IPSec VPN - Site to Site VPN

Add a new tunnel and set the following:

Add
Type: Site-to-Site
IKE Version: IKEv2

General Settings

Enable: ✔

IKE Version: IKEv2

Type: Policy-Based

My Address: Select WAN interface

Peer Gateway Address: Enter the remote public IP

Authentication: Pre-Shared Key (same on both sides)

Step 2 – Phase 1 Settings

Under Phase 1 Settings:
Encryption: AES128 (or as required)
Authentication/PRF: SHA1 or SHA256
DH Group: DH14 (recommended)
SA Lifetime: Default or as agreed

Step 3 – Phase 2 Settings

Under Phase 2 Settings, click Add.
Configure:
Local: 11.11.11.0/24
Remote: 10.10.10.0/24
Protocol: Any
PFS: Enable (DH14 recommended)

Even though the subnets are the same, NAT will handle the address translation.

Step 4 – Configure 1:1 NAT (Important Step)

Scroll to:

Advanced Settings → Destination (the first Remote policy) → NAT Rule

Click Add.

Configure:

Origin IP: 192.168.168.0/24
Type: 1:1 NAT
Mapped IP: 11.11.11.0/24

Apply the configuration.

This ensures that traffic entering the VPN tunnel is translated from:
192.168.168.x → 11.11.11.x