Nat VPN address on Pix 515E

Unanswered Question
Apr 22nd, 2009

I have an internal address but we want the other end of the VPN tunnel to communicate with instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 04/22/2009 - 05:43

FW1 = firewall at site where is.

FW2 = firewall at remote end

Config bits that are needed for the NAT setup and the VPN crypto map


static (inside,outside)

access-list vpntraffic permit ip host host

crypto map vpnmap 1 match address vpntraffic


access-list vpntraffic permit ip host host

crypto map vpnmap 1 match address vpntraffic

Note that the referenced in FW2 config is actually a client machine behind FW2 and not the machine behind FW1.


mfawehin Wed, 04/22/2009 - 22:54

Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.

The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.

Do I permit access to the NAT'ed or original addresses?

Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?

Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.

Mant thanks,


Jon Marshall Thu, 04/23/2009 - 01:49


You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.


mfawehin Thu, 04/23/2009 - 04:15

Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.

Thanks again,



This Discussion