PAT addresses across VPN

Unanswered Question
Oct 30th, 2008

I have set up a site-to-site VPN from a PIX runing 7.2(1) to a 3rd Party.

We wish to push traffic behind a PAT address, rather than a simple NAT.

All external traffic hides behind a PAT address (but htis is not the address we want) unless it is statically NATted.

What I need to know is how I would get the PAT to work when the ACL for the normal PAT is permit IP ANY ANY

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 10/30/2008 - 17:44


Do you need to use an acl for the normal PAT. If not you could just use an acl for your VPN NAT. If you do need to use PAT you will need to modify the existing acl. So

your private network -

the remote VPN network you are trying to reach -

You PAT all addresses to

You want to use for the VPN traffic.

So assuming you have something like this in your config as you are using an acl for NAT/PAT

access-list 101 permit ip any any

nat (inside) 1 accesss-list 101

global (outside) 1

you need to make the following modifications

access-list 101 deny ip

access-list 101 permit ip any any

access-list 102 permit ip

nat (inside) 2 access-list 102

global (outside) 2


SeanWatmore Fri, 10/31/2008 - 03:02


Thank you for your response.

Unfortunately this is not the correct solution. However I have resolved the issue.

Removing and trying to reapply ACL 101 produced the evidence to support a memory I had but wasn't 100% sure about.

The ACL used for this control cannot have a deny statement in it. (The pix rejects it as an error - although it didn't when I added the rule to the pre-existing ACL).

The solution was to remove ACL 101 create ACL 102 and the associated PAT condition. Then reapply ACL 101. and funnily enough it all worked.

Thanks for your assistance.


Jon Marshall Fri, 10/31/2008 - 06:47


From memory i thought i had done this but perhaps i was thinking of it on a router rather than a pix.

Apologies for providing an incorrect answer and thanks for coming back with your solution. I have rated the post.



This Discussion