Policy NAT on VPN traffic exiting the PIX inside interface

Unanswered Question
Jun 15th, 2010
User Badges:

I currently have site to site VPN configured which works fine with the exception of policy NAT.  I want to be able to policy NAT traffic coming out of the VPN tunnel destined for the internal network.  For instance traffic from remote subnet x.x.x.x destined to y.y.y.5 would get NAT'd to the PIX inside interface IP address of y.y.y.1.

I am running Cisco PIX Firewall Version 6.3(5)

Any thoughts would be appreciated.  Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 06/15/2010 - 15:07
User Badges:
  • Green, 3000 points or more


So you want the ASA to decrypt the traffic, then NAT it when going to the internal network.

Don't you have the option to NAT it on the other side of the tunnel?

If not, I believe that with Policy NAT as you mentioned, it should work.


millerw1 Tue, 06/15/2010 - 15:17
User Badges:


That is correct.  I was hoping to avoid NAT'ing on the other side of the tunnel if at all possible.  In most cases that is exactly what I would do but I have to NAT to an address on the same subnet as the PIX inside interface due to a host network limitation.

Here is the relevant part of the config which is not working:

access-list out-in-nat permit ip any host y.y.y.x

global (inside) 1 interface
nat (outside) 1 access-list out-in-nat 0 0

Federico Coto F... Tue, 06/15/2010 - 15:21
User Badges:
  • Green, 3000 points or more

Try changing ''any'' from the ACL to the source network or address of the remote site.
Make sure that this traffic is not included in the NAT 0 access-list, because it will take


millerw1 Wed, 06/16/2010 - 08:04
User Badges:

I tried changing the ACL but it is still not working.  I don't see any hits on the NAT ACL.

Federico Coto F... Thu, 06/17/2010 - 08:43
User Badges:
  • Green, 3000 points or more

Did you verified that the traffic is not part of the NAT 0 ACL?

Could you post the output of:

sh run nat

sh run access-list

sh run static



This Discussion