Remote VPN with NAT.

Unanswered Question
Jan 15th, 2010
User Badges:

Hi all,

IM solving problem with next:

Our employees connect to our network remotely with Cisco VPN client and can access any resorces inside network.

We have NAT 0 configured so they sessions appear inside network  with IPs from VPN pool assigned. We have PIX with inside and outside iterface.

But we need to access outside resources through VPN.

So my question is when traffic get out from VPN tunel what NAT, ACLs should I configure to access outside resources (in Internet)? From inside to outside or should I create loopback inerface?

Pls. send me any example.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ricardo Prado Rueda Tue, 01/19/2010 - 09:52
User Badges:
  • Cisco Employee,
  • Events Top Contributors,

    Cisco, 2014


   To get Internet Access while the IPSEC VPN Client is connected to your PIX, you have two options:

A. Use split-tunneling, this configuration will tell the VPN client which traffic needs to be encrypted, everything else will be sent out the local Internet connection on the Client's end:

B. Use the option of hairpining (U-Turn) on the PIX to provide Internet access to the connecting VPN Clients. The only restriction here is that your PIX needs to be running at least version 7:

   The basic configuration for this setup is as follows:


access-list remotelan permit ip any

nat (outside) 1 access-list remotelan
global (outside) 1 interface


same-security-traffic permit intra-interface

   The rest of the configuration remains the same.




This Discussion