NAT question with VPN

Unanswered Question
Jun 26th, 2007
User Badges:


This is my configuration:

VPN tunnel between FW1 and FW2

Local addresses : on FW1 and on FW2

Behind the inside interface of FW2, there's is a remote site (network C).

PC's from network are able to reach PC's on network (no problem)

When a PC from network wants to reach a PC on network C, i need that on the inside interface from FW2 the source address of be translated to a local address of this network (let's say, because the network of is not routable to the remote site C

First question : is it ever possible to do this ?

Second question: if possible, what do i need to configure ?

Thanks for help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jbrunstein Tue, 06/26/2007 - 04:49
User Badges:

Hi James

Yes the inside interface of FW2 is in subnet

My firewalls are PIX boxes. Do you have an url with the configuration of ip nat outside source for the PIX ? The one you gave me is for IOS routers



jbrunstein Tue, 06/26/2007 - 23:38
User Badges:

Hi James

I'm now able to do outside nat for my configuration. The problem was not really with the commands to configure, but there was another problem (arp in the next router) that was blocking the traffic.

Here are the 3 commands i needed:

access-list outside_pnat_inbound extended permit ip host

global (inside) 8

nat (outside) 8 access-list outside_pnat_inbound outside

With those 3 commands, all the source addresses for frames from network on inside of FW1 are translated to when send out from inside of FW2 and this matches the local network

Those frames can than reach the remote site C and the router overthere has a route back to

Thanks for supporting me !


This Discussion