NAT Traffic on Pix 515E (6.3.5) before Tunnel

Unanswered Question
Apr 19th, 2007

I have several clients using Pix Tunnels for site to site connections. I have one client who cannot route my internal network address space do to an overlap issue. I have tried to setup the nat, but the traffic is not changing to the NAT address.

Here are the entry's I used (the tunnel is working):

access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86

access-list inside-outbound_nat3_acl permit ip 142.x.x.86

nat (inside) 3 access-list inside-outbound_nat3_acl

global (outside) 3 64.x.x.5

Any help would be appriciated!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scoutert24 Fri, 04/20/2007 - 05:37

This did not work, my problem is that my Nat ACL is getting Hits, but that is where it looks like the traffic stops.

Here is my Configs:

access-list inside-outbound_nat3_acl permit ip 10.x.x.0 142.x.x.86

access-list outside_cryptomap_1400 permit ip host 64.x.x.5 142.x.x.86

global (outside) 3 64.x.x.5

nat (inside) 3 access-list inside-outbound_nat3_acl

crypto map outside_map 1400 ipsec-isakmp

crypto map outside_map 1400 match address outside_cryptomap_1400

crypto map outside_map 1400 set peer 199.x.x.23

crypto map outside_map 1400 set transform-set ESP-3DES-MD5

crypto map outside_map 1400 interface outside

isakmp policy 1400 authentication pre-share

isakmp policy 1400 encryption 3des

isakmp policy 1400 hash md5

isakmp policy 1400 group 2

isakmp policy 1400 lifetime 86400

Any other ideas?



srue Fri, 04/20/2007 - 05:45

have you done any debugging or do you have any logs that you can post?

scoutert24 Fri, 04/20/2007 - 10:33

I have just been watching counts on access lists, do you have any other ideas on how to debug the issue?

I just started picking up the Network devices at my company, since our last Network Engineer moved on.


Attached, working configuration of policy NAT VPN in my lab. Thing to note:

If there's another IPSec tunnel that uses NAT exemption, there will be a "nat (inside) 0 access-list ..." line in the existing configuration.

The access-list this references needs a deny added to it that specifies any traffic from the LAN side going to the peer inside subnet is ignored, otherwise the NAT will not happen.

Hope this helps!




This Discussion