Site to Site IPSec, PIX Version 6.3(5)

Unanswered Question
Jul 15th, 2010


My Local Subnet is & remote end also having same subnet.

We need to do Site to Site VPN with these detail:
My Public ip is 194.a.b.193 and Remote end peer IP is 100.a.b.19
Remote end natted IP is (100.a.c.198)


1. Is NAT allowed through IPsec?
2. Do i need GRE to run in this senario?

3.What will be intresting traffic access list on end A.

4. Any sample config guide/url for such senario

ip access-l Local permit host 100.a.c.198 host 194.a.b.193 ? or somting else

Please guide with some brief notes..

Thanks & regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Sun, 07/18/2010 - 09:41

Hi Amar,

1. NAT is allowed through IPsec (and necessary when you have overlapping issues)

NAT occurs prior to encapsulation, therefore the traffic sent through the tunnel is already translated.

2. You don't need GRE for NAT.

GRE is needed to allow communication of non-IP traffic or non-unicast traffic.

If the requirement is to NAT the interesting traffic, there's no need for GRE (PIXes won't support GRE anyway)

3. The interesting traffic (if using NAT) will be the translated subnets.

If you translate site A to X and site B to Y, the interesting traffic will be between X and Y.

4. Not having a sample handy, let us know if you have any questions.


amardram123 Sun, 07/18/2010 - 23:33

please correct me if i am wrong, what i understood is:

1. I need to set peer as their public ips
2. then we can NAT the intrestting traffic with one public IP on both end.
3. and set a route with destination as remote public ips..
4. intresting acl should be: acces-l ipsec permit mask mask
Lets consider:
Local lan subnet:
Local Public peer ip:
NATTed ip for LAN(

Local lan subnet:
Remote peer ip:
NATTed ip for LAN(

then configuration should be like:
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encrypt 3des
crypto isakmp key cisco address
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list ipsectraffic permit ip

nat (inside) 1 access-list ipsec
global (outside) 1
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address ipsectraffic
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer
crypto map toSanJose interface outside
sysopt connection permit-ipsec

Federico Coto F... Tue, 07/20/2010 - 05:44

Hi Amar,

Your understanding is correct for the most part, but I add an example for the Policy NAT:

Site A:

Local LAN =

NAT to =

Site B:

Local LAN =

NAT to =

Configuration for Site A:

access-list NAT permit ip

static (inside,outside) access-list NAT

access-list crypto permit ip

Configuration for Site B:

access-list NAT permit ip

static (inside,outside) access-list NAT

access-list crypto permit ip

In this way, traffic will flow between both sites from to and vice versa.

The ''crypto'' ACL is the interesting traffic.



This Discussion