VPN and NAT between PIX and sonicwall TZ170

Unanswered Question
Jun 26th, 2007


I'm trying to create a site to site vpn between a pix 520 and a sonicwall tz170. The Problem is that both sides use on the inside, so, i have to use NAT.

they only need to reach some addresses in the range so i only need to nat from my side to their side.

the Tunnel comes up and I receive packets, but i never see packets encapsulated on my side.

the setup is


relevant config :

access-list SAP_oasis extended permit ip

access-list SAP_oasis extended permit ip


global (outside) 1

nat (inside) 1

static (outside,inside) netmask

route outside 1

route inside 1

crypto ipsec transform-set aes-256_sha esp-aes-256 esp-sha-hmac

crypto map VPN 10 match address SAP_oasis

crypto map VPN 10 set peer

crypto map VPN 10 set transform-set aes-256_sha

crypto map VPN interface outside

isakmp identity address

isakmp enable outside

isakmp policy 13 authentication pre-share

isakmp policy 13 encryption aes-256

isakmp policy 13 hash sha

isakmp policy 13 group 2

isakmp policy 13 lifetime 28800

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Can anybody help me out ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
James.Ren Wed, 06/27/2007 - 03:44

Hi there,

I think the problem might be caused by your NAT in the security appliance. When your defined VPN traffic went through your PIX, it was translated to another destination address thus it failed to meet your SAP_oasis.

You need to user NAT 0 to exempt the VPN traffic from being translated.

Hope it helps.


James Ren

be04376 Wed, 06/27/2007 - 05:03

thx he was doing 2 times nat

i excluded nat for the translated range and it works



This Discussion