Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Natting over IPSec Tunnel in PIX Firewall

Unanswered Question


We have a PIX 525 FW is IOS Ver. 6.3. We are using a 172.x.x.x network in our LAN. We need to establish a VPN tunnel from our firewall to one of our clients firewall. Our client is ready to allow access to his network only if our private ip address are natted to a public ip range. I would like to know how to configure the NAT and IPSec in this kind of scenario. We have done similar configurations using Checkpoint and it works well there. I tried a couple of configurations for NATting as follows over the IPSec tunnel.

access-list acl_outbound permit ip

nat (inside) 1 access-list acl_outbound

global (outside) 1

In the above configuration 172.16.x.x is my local network and 10.100.x.x is my clients network. When the access-list matches i am natting it to the public ip range. I am specifying the public ip range in my VPN interesting traffic. After i issue this command and save the configurations and when i try to open the PDM i get a message saying "Policy Based NAT is not supported" and the PDM doesnt allow me to do any changes through PDM.

Can somebody let me know how to configure a PIX in this kind of scenario.


G.G. Venkat Raman,

email: [email protected]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Tue, 11/29/2005 - 20:37
User Badges:
  • Cisco Employee,

You're configuring the PIX correctly, assuming your crypto ACL then looks like the following:

access-list crypto permit ip host

Keep in mind that NAt happens BEFORE IPSec, so it is fine to NAt the traffic first, then use IPSec to define the already-NAT'd traffic.

The issue you're having with PDM is simply that PDM does not support any policy-NAt statements, so PDM will go into Monitor mode if you have this config in place. There is no way around it unfortunately.

For a listed of unsupported commands, see here:


mklaphek Mon, 12/19/2005 - 10:26
User Badges:

So, can you use this for overlapping IP address space by configuring each end to NAT to something else?

In other words, if each endpoint used as their IP addressing scheme, could you set one end up to nat to and the other to and have it work?

PIX 1:

access-list crypto-2remote permit ip

nat (inside) 2 access-list crypto-2remote

global (outside) 2

PIX 2:

access-list crypto-2local permit ip

nat (inside) 2 access-list crypto-2local

global (outside) 2

k.subramaniam Tue, 11/29/2005 - 22:30
User Badges:


As per my understanding you need to set up the accesslist for intresting traffic in such a way that it specifiy the sourch as a public IP pool and destination as a And also just try with following command.

nat (in) 1

global (out) 1

Hope this will resolve your issue.


Mehul Patel

email : [email protected]


This Discussion