PIX 515E 6.3(5) VPN client NAT rule

Unanswered Question
Jun 2nd, 2010


i`m very new to pix and here my simple problem:

i have created a VPNClient pool from the same range as the internal ip range. For example /24 with client VPN pool of - 180. For this i have created a translation rule:

static (inside,outside) netmask 0 0

this worked fine but now i don`t want a pool frome the same network like inside

Now i have created a different IP pool - 180. But now i don`t know how the translation rule looks like?

Is this right?:

static (inside,outside) netmask 0 0

I only want the the clients from outside can connect to the internal network

Hope someone could help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 06/02/2010 - 08:13

Hi Jason,

You don't need translation for the VPN clients to access the internal LAN.

If the internal LAN is, and if the VPN pool 192.168.1.x, you can do the following:

static (inside,outside) netmask

The problem with the above command is that the internal will not have Internet access.

Normally what you do is this:

access-list nonat permit ip

nat (inside) 0 access-list nonat

nat (inside) 1

global (outside) 1 interface

The above uses Policy NAT to bypass NAT between the internal network and the pool, and then PAT all the internal traffic to the internet.



This Discussion