PIX: NAT in Site to Site VPN

Unanswered Question
Jan 9th, 2009
User Badges:


Hopefully someone can confirm this is possible.

I have a PIX 525 running v7.2 and it terminates several Site-To-Site VPNs with other organisations who then use services hosted on a DMZ. That all works fine.

I'm connecting up another organisation who cannot route to private address space down a VPN at their end. That causes a problem, because the address they need to contact down the VPN is a private one.

So is it possible to do a NAT to one of our Internet addresses on the outside of the PIX, but still have them access it over the VPN?

There doesn't seem to be an equivalent config on the Cisco support examples and I've checked the Wiki, but couldn't find anything that matches this scenario.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 01/09/2009 - 14:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Yes it is possible although if other companies are accessing the same server in it's private IP address that is going to be problematic.

Assuming it isn't lets say -

ptivate host at your end =

public IP you present it as to remote site -

Your crypto map access-list at your end would be

access-list vpntraffic permit ip host 17216.5.0

ie. the key thing is in your crypto map you need to reference the Natted IP address.


remote site subnet =

4c.gregory Fri, 01/09/2009 - 20:36
User Badges:


Thanks for the response.

Unfortunate other companies do access the private address down the Site-2-Site VPNs. What's the problematic bit?

So the NAT would be as normal? We already have this in place as one particular organisation accesses it using a static NAT as the protocol is SSL'ed already - something like:

static (inside,outside) netmask



rkalia1 Sat, 01/17/2009 - 18:27
User Badges:

Chas use this:

access-list ext NAT permit ip host

static (inside,outside) access-list NAT

Your Crypto access-list should be:

access-list ext vpntraffic permit host

Also, note that you need not put the traffic from server to n/w in NONAT access-list that you may have for VPN traffic that is non-nated.


This Discussion