Pix IPsec policy NAT

Unanswered Question
Jun 2nd, 2007

Hello All,

I have the following scenario:

Pix version 6.3(3)

DMZ interface with a private network ( with some server configured static NATs to be accessible from the outside.

Outside interface with public IPs

I have to establish a lan-to-lan tunnel with a customer so he can access our DMZ. Our problem, is that the customer has our same private network. I'm trying to solve this problem with policy NAT. However, I can reach the customer DMZ while the customer is unable to reach our DMZ. In the past I solved this problem with route-maps on Cisco routers. Is it possible to solve this scenario with a PIX without modifying our network? How?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sat, 06/02/2007 - 12:12


When you say you can each his DMZ do you mean you can establish full connectivity ?

It's a little confusing. If your source addresses are in the same range as the customer network then you hsould not be able to get to them. Couple of questions

1) Are you establishing connectivity from your DMZ to the other DMZ.

2) If you are what are the source IP addresses.

If they are in the 192.168.250.x range then this shouldn't work even from your DMZ to theirs. If they are using their Natted public IP address when they connect then just point the customer to the public IP addresses assuming they want to get to the same servers.

Policy NAT won't really help here. If the source IP address is for example and this packet goes to the customer device when the server at the other end tries to respond it believes that the machines is on the local network.

Could you fill in a few of the details


david.barroso Sat, 06/02/2007 - 12:31

Yes, I can reach without any problem the customer DMZ doing policy NAT.

I change my DMZ network for a different private network doing policy NAT, for example to 192.168.20.x. However, the traffic initiated by the customer doesn't reach my DMZ because the policy NAT only works for outgoing traffic.

david.barroso Sat, 06/02/2007 - 12:49

Sorry, I realized that my explanation was not totally accurate. The DMZ customer is not the same network as my DMZ. However, the customer has my network on another interface. Something like this:


Outside: Public network


Customer Device

Outside: Public network.



We have to establish a tunnel Lan-to-Lan from their DMZ to our DMZ. Is it possible to do it modifying only my Pix?

Jon Marshall Sat, 06/02/2007 - 23:53

Hi David

You need to present your 192.168.250.x addresses that the customer wants to reach as different addresses to the customer or it will never work.

In answer to your question, yes you can do the NAT on just your end. You just need to make sure that whatever addresses you choose do not conflict with any at the customer site.

But unfortunately the customer will have to update their IPSEC settings. So for example say the customer wanted access to at your end. Lets say you present these as to the customer. They will still have to modofy their IPSEC settings that defines the interesting traffic, in cisco terms the crypto access-lists. And you would need to modify yours as well to reflect the new 172.16.250.x addresses.

If you are already natting the 192.168.250.x addresses then as long as they don't conflict with any customer addresses you can use these.

Does this make sense ?


david.barroso Sun, 06/03/2007 - 02:09

Yes, it makes sense. As I said I'm already doing it. I'm policy natting my network to reach the customer (the IPsec is properly configured) and I can reach the customer. However, when the customer initiates the traffic the NAT doesn't work and I don't know how to do it. My NAT configuration is something like:

access-list CUST1_NAT permit ip host host

static (inside,outside) access-list CUST1_NAT

With this configuration the NAT only occurs when I start the traffic (it has sense because of the ACL).

Thanks for your time and help.

Jon Marshall Sun, 06/03/2007 - 11:57


Yes it will only work when you initiate the traffic because that static is only created due to it matching the access-list.

If you want the customer to be able to initiate traffic you will have to setup a permanent static translation rather than the policy NAT you have setup.

Is there some reason you cannot do this ?


david.barroso Sun, 06/03/2007 - 12:51

I can not do static translations because I already have static translations so the servers can be accessed from the outside.

On cisco routers I solved this problem with NAT and route-maps but I'm a bit disappointed because I'm not being able to solve this scenario with a Pix firewall.


david.barroso Sun, 06/03/2007 - 13:00

I forgot it. I can not use the current static NATs for the tunnel because the customer assigned us a network for our side.


This Discussion