nat and ipsec on pix 6.2

Unanswered Question
Jan 23rd, 2008
User Badges:


Will the pix perform NAT before sending traffic to an IPSEC tunnel?



name EORLA


access-list 150 permit ip host WHBIZTALK host EORLA

pdm location outside

pdm location inside

static (inside,outside) netmask 0 0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map WDMHMAP 85 ipsec-isakmp

crypto map WDMHMAP 85 match address 150

crypto map WDMHMAP 85 set peer

crypto map WDMHMAP 85 set transform-set ESP-3DES-SHA

crypto map WDMHMAP interface outside


what I need to see in the ipsec tunnel is traffic with src = and

dest =


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Wed, 01/23/2008 - 12:18
User Badges:
  • Cisco Employee,

Based just upon the configuration that you have posted here, Yes, the IP Address will be NATTed to

Since you want to see IPSEC Tunnel with src = and dest =, you need to reconfigure the ACL 150 to

access-list 150 permit ip host host EORLA



** Please rate if it helps **

dsandre-toh Wed, 01/23/2008 - 12:38
User Badges:

I should clarify, the ipsec tunnel is an existing tunnel and has as its endpoints:

local: ie. pix outside interface


...I want to direct traffic from to into the ipsec tunnel, but, I need to nat to

Jon Marshall Wed, 01/23/2008 - 14:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Yes you can NAT the source or destination IP addresses before they enter the IPSEC tunnel. The config above looks fine - is it not working ?



This Discussion