VPN Site to Site With NAT

Unanswered Question
Oct 8th, 2007
User Badges:

Hi all,

Can someone help me please

An inside server ( need to access to a remote network

A VPN site to site is established between Pix outside ( and Multitech Firewall (

Now my inside server should connect to the remote network with this IP So I have to Nat my inside server IP ( to

The remote network should connect to inside network by the

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip

access-list Inside_nat_static extended permit ip host I92.168.92.6

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Thanks for answers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
p.vdvoort Mon, 10/08/2007 - 03:39
User Badges:

Hi fallkaired,

I would say that if you change your NAT to:

static (inside,outside) netmask

things should work.

Good luck!


fallkaired Mon, 10/08/2007 - 05:57
User Badges:

thanks for your answer but it still not working. I have the same problem

p.vdvoort Thu, 10/11/2007 - 01:01
User Badges:

ok, first thing to check here is your crypto ACL on the remote site. Is it an exact mirror of the ACL on the local site?

Do you have ACLs on the remote site possibly blocking your TCP traffic?

Then, what kind of messages do you get when trying to connect to the outside?

At least you should see a packet coming in from and you should see messages like "building xlate entry for... " pointing to the fact translation occurs.

After that you should see the tunnel being built (terminal monitor), you should get isakmp sa's and after that ipsec sa's.

When that is all going as expected, you should be able to see your packets getting encrypted e.g. being transferred through the tunnel (show crypto ipsec sa).

If your connection get this far, the remote site should be reviewed.


fallkaired Thu, 10/11/2007 - 04:06
User Badges:

Its working fine now. Your 're rigth the TCP traffic was not permit on the remote site.

thank for your help


This Discussion