Unanswered Question
Jan 6th, 2010
User Badges:

Hello, I'm having this issue for quite a few days now.

I have a Cisco PIX 6.3.3, which currently has a VPN tunnel to another PIX. I have quite a few local networks behind my PIX, let's say for example

The people from the other side of the tunnel only want to see the network /24, so I have NAT configured to translate the traffic that goes to the tunnel. I've used policy NAT (nat with an ACL).

The thing is that when a server from the local network accesses the VPN first, it does not NAT ever again. I mean, it remains with the translated IP, for example, but does not NAT with the outside interface to access the Internet.

Here's a glimpse of the configuration:

global (outside) 14 netmask
global (outside) 1 interface

nat (inside) 14 access-list VPN
nat (inside) 1

access-list VPN permit ip VPN-Network

I have read about the NAT priorities and in theory they are OK, but still don't work.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yamramos.tueme Thu, 01/07/2010 - 14:01
User Badges:

Instead of using nat-global (unless you want to PAT your traffic) for both translations, you should use static for the VPN translation.  As you only have /24 network in your inside network you should restrict your VPN ACL to match specific traffic.

Try changing your configuration so it looks like this:

access-list VPN permit ip VPN-Network
static(inside,outside) access-list VPN
nat (inside) 1
global (outside) 1 interface

You can try into that.

- Yamil


This Discussion