• Both Policy-Based VPN (PBVPN) and Source NAT (SNAT) are present for the same source subnet on a Tier-0 or Tier-1 Gateway
• Traffic is encrypted and sent over the IPsec tunnel
• SNAT is not applied, contrary to expectations
• Traffic that is expected to be source NAT’d (SNAT) is not translated.
• Traffic is seen on traceflow or packet capture with the original source IP.

VMware NSX-T Data Center 3.x
VMware NSX 4.x

NSX-T enforces PBVPN policies based on the original (pre-NAT) packet headers. If a policy matches the pre-NAT source and destination IP addresses, the traffic is selected for encryption before NAT is applied.

“SNAT happens only if no PB VPN policy matches pre-NAT IP addresses.”

This behavior is by design and expected.

If SNAT behavior is desired before VPN, there are a few approaches:

Option 1: Disable PBVPN

• If SNAT is required and VPN policy is no longer needed, disable the PBVPN session.
• This causes SNAT to take effect as no VPN match will intercept the packet.

Option 2: Convert to Route-Based VPN

• Route-Based VPN does not rely on traffic selectors.
• Allows full NAT control before routing traffic through tunnel interfaces.
• Preferred in scenarios where NAT must occur before encryption.