Cisco PIX VPN "Interesting" traffic

Unanswered Question
Apr 11th, 2008


I have a Cisco PIX 501 with a 50 user license. I have been asked to setup a site-to-site VPN with another firewall.

My issue is that the other site is requesting that I NAT the device they want to communicate with (only 1 host) with the same IP address as the only one the WAN side of my PIX.

Is this possible? If not, can it be done if I have another public IP address available?

Example (IP Addresses have been modified)

LAN IP - /24

WAN IP /29

The device on the LAN that they want to communicate with is


Eric Hanke

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 04/11/2008 - 11:38

if you're using the outside IP of the PIX for global PAT (e.g. - global (outside) 1 interface), you're better off using a different address, but yes, it can be done.

you will need to use policy nat.

your crypto acl (interesting traffic acl) will be based on the public/nat'ed IP of the server.

acomiskey Fri, 04/11/2008 - 11:43

Like Steven said, you're better off using another ip. Something like this would work...

x.x.x.x = some other address

access-list vpn_nat permit ip host

access-list crypto permit ip host x.x.x.x

static (inside,outside) x.x.x.x access-list vpn_nat

This will allow the remote site to communicate with by using x.x.x.x.

eric_hanke Fri, 04/11/2008 - 12:22

The problem is that the other side will not allow me to use an RFC 1918 address. They want me to NAT the private IP address of the server to the public IP address of the firewall.

husycisco Fri, 04/11/2008 - 15:27

Hi Eric,

access-list Pol_Nat permit ip host remotesitenetwork remotesitenetmask

static (inside, outside) yourdesiredpublicip access-list Pol_Nat

access-list interesting_traffic permit ip host yourdesiredpublicip remotesitenetwork remotesitenetmask

crypto map xxx xxx match address interesting_traffic


rashid_ghazanfar Fri, 04/11/2008 - 19:47

Dear Mr. Eric,

As far as I get your query, this is not an issue at all, actually your other side want you to NAT the host which is in your side to an IP that they may provide you most probably its their LAN IP, so you simply NAT that host to an IP that they provide you.

Thanks & Regards,

Rashid Ghazanfar


This Discussion