NAT inside of a VPN tunnel

Unanswered Question

I have a VPN NAT problem kind of any that I hope that some one can help me with. I can?t believe I?m the only one that has ever had this issue.

I?m using /24 on my inside network and I need to connect to a vendor through a VPN tunnel from my PIX 515 firewall across the internet, here the catch they require a static address for each of my clients that uses their software for it to work. I?ve been doing this connection through a point to point connection before now, so it hasn?t been a problem.

I guess the question is, how can I get my 10 network NATed to a 172 network inside a VPN tunnel. I hope some can help. Can this even be done?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (4 ratings)

Why not try the following:

Basically, you'll be NAT'ing your private LAN address to a global IP (213.249.300.200), the crpto match address statement will trigger traffic via the tunnel originating from 213.249.300.200 address, as far as your customer is concerned they will see that your traffic is coming from IP 213.249.300.200 rather then your LAN ip

I am presuming that your customer side addrss is ?

Any other traffic from your LAN side will be translated to your public IP address assigned to your PIX outside interface i.e.

global (outside) 1 interface

nat (inside) 1 0 0

The 81.155.x.x (in this example), will be the peer IP address of your customer firewall.

access-list nat_to_customer permit ip

access-list crypto_map_customer permit ip host 213.249.300.200

ip address outside 213.249.300.100

ip address inside 10.1.101.x

global (outside) 2 213.249.300.200

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer 0 0

nat (inside) 1 0 0

route outside 213.249.300.150 1

sysopt connection permit-ipsec

crypto ipsec transform-set esp-3des esp-md5-hmac

crypto map testmap 1 ipsec-isakmp

crypto map testmap 1 match address crypto_map_customer

crypto map testmap 1 set peer 81.155.x.x

crypto map testmap 1 set transform-set

crypto map testmap interface outside

isakmp enable outside

isakmp key address 81.155.x.x netmask

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

I hope that I have understood your question correctly?

If it helps please rate posts!


Kamal Malhotra Tue, 02/20/2007 - 08:02


I beleive what you need is a policy NAT. E.g. their network is 192,168.1.0/24, it would look like :

access-list nat_to_customer permit ip

static (inside,outside) access-list nat_to_customer mask

access-list crypto_map_customer permit ip

Rest of the configuration would be like any other regular VPN. There is another catch. Please make sure that there is no nat bypass configuration for the traffic from to as if it is there then the policy NAT won't work.

Please let me know if you need anything else. Please do rate if it helps.



Kamal Malhotra Tue, 02/20/2007 - 08:04

Just to add, with this method, the last octet of your IP addresses will remain the same. E.g. will be translated to

Please also make sure than you are running 6.3.4 or higher version on the PIX.



gothamprojects Tue, 02/20/2007 - 08:49

Hi There,

I have a similar situation, where I've configured an ipsec tunnel as shown below to a vendor, which I can bring up by pinging the remote network. However, the vendor requires that this tunnel be NAT'd behind our external IP. Can I use the method above to NAT traffic to this tunnel with the outside interface IP? Simply removing the entry from the nonat access-list prevents the tunnel from coming up, so I suspect I need an explicit NAT statement like the static shown above? (The access-list vpn_in is assigned to the outside interface).

(Vendor's IP ranges xxx-ed to protect the innocent)

Kind Regards.

access-list nonat permit ip host

access-list vpn_in permit ip host

access-list vendor permit ip host

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

crypto map vpn 11 ipsec-isakmp

crypto map vpn 11 match address vendor

crypto map vpn 11 set peer

crypto map vpn 11 set transform-set desmd5

Kamal Malhotra Tue, 02/20/2007 - 09:01

Hi gothamprojects,

If your tunnel comes up with the current config, then you need to make changes on both the ends for the NAT thing to work. If you make changes just on your device then the other end might not accept the connection.


Please do rate of it helps.



gothamprojects Tue, 02/20/2007 - 09:08

Hi Kamal thanks for the speedy reply,

For the purposes of this disucssion can we assume that the other end is correctly configured for this NAT situation?

What would I need to do to masquerade local ip addresses behind the outside interface address? Currently only the one host needs to use the tunnel. I'd prefer to use an access-list for hosts that need to be NAT'd pre-tunnel so I can add further hosts in the future.


Kamal Malhotra Tue, 02/20/2007 - 09:55


Is the a NATed IP or the physical IP? If it is NATed then we can assume that the other end is correctly configured. You can use the commands similar to what I had posted earlier to get it done.


Please do rate if it helps.



Kamal Malhotra Tue, 02/20/2007 - 15:03


No problems :-)

Please rate the posts if you think those were helpful.



gothamprojects Thu, 02/22/2007 - 23:46

Thanks for your help Kamal, the issue is resolved & the appripriate post is rated.


trevora Mon, 02/26/2007 - 10:08

This is a great example.

What I understand from this is that NAT will take place before IPSEC and you then use the global NATed address for the crypto ACL.

This could be done the same on both ends.

or have I missed it?




This Discussion