NAT over IPsec L2L with PIX

Unanswered Question


I have the following challange and I can solve it partially only.


I need to connect two sites through ipsec L2L and apply some NAT back and forth.

The remote network is my inside network is The remote site cannot send traffic to because this subnet is used on their network. So they are going to send the traffic to for ftp and for http. On my side I have as ftp and as http server. On my side when the traffic comes I have to translate the destination of and to and respectively.

I also have to send back some traffic to the remote site with source of (from and So it means it is some kind of asymetric NAT. The question is whether it is possible or not? If possible how to approach it?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 06/04/2008 - 13:50
User Badges:
  • Green, 3000 points or more


You can apply the overlapping networks strategy in your scenario, you will need policy nat. I've created a draft script bu if I have the time I will tested, however, it should be along those lines, look at the example link.

You could have these acls for your tunnel.

access-list new extended permit ip

access-list new extended permit ip

access-list policy-nat_FTP extended permit ip

access-list policy-nat_HTTP extended permit ip

static (inside,outside) access-list policy-nat_FTP

static (inside,outside) access-list policy-nat_HTTP



Hi Jorge,

Thank you for your reply. I have also found that link but it seems that scenario is working only in case of the traffic going from my side (let say this is PAX-A) to the remote however I need the opposite. It is mentioned that if there is traffic coming back to the translated address (in my case, and .2) it will not reach the inside network. Do you know any other way to achieve this?




This Discussion