Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco PIX VPN "Interesting" traffic


I have a Cisco PIX 501 with a 50 user license. I have been asked to setup a site-to-site VPN with another firewall.

My issue is that the other site is requesting that I NAT the device they want to communicate with (only 1 host) with the same IP address as the only one the WAN side of my PIX.

Is this possible? If not, can it be done if I have another public IP address available?

Example (IP Addresses have been modified)

LAN IP - /24

WAN IP /29

The device on the LAN that they want to communicate with is


Eric Hanke


Re: Cisco PIX VPN "Interesting" traffic

if you're using the outside IP of the PIX for global PAT (e.g. - global (outside) 1 interface), you're better off using a different address, but yes, it can be done.

you will need to use policy nat.

your crypto acl (interesting traffic acl) will be based on the public/nat'ed IP of the server.


Re: Cisco PIX VPN "Interesting" traffic

Like Steven said, you're better off using another ip. Something like this would work...

x.x.x.x = some other address

access-list vpn_nat permit ip host

access-list crypto permit ip host x.x.x.x

static (inside,outside) x.x.x.x access-list vpn_nat

This will allow the remote site to communicate with by using x.x.x.x.

New Member

Re: Cisco PIX VPN "Interesting" traffic

The problem is that the other side will not allow me to use an RFC 1918 address. They want me to NAT the private IP address of the server to the public IP address of the firewall.

Re: Cisco PIX VPN "Interesting" traffic

Hi Eric,

access-list Pol_Nat permit ip host remotesitenetwork remotesitenetmask

static (inside, outside) yourdesiredpublicip access-list Pol_Nat

access-list interesting_traffic permit ip host yourdesiredpublicip remotesitenetwork remotesitenetmask

crypto map xxx xxx match address interesting_traffic


New Member

Re: Cisco PIX VPN "Interesting" traffic

Dear Mr. Eric,

As far as I get your query, this is not an issue at all, actually your other side want you to NAT the host which is in your side to an IP that they may provide you most probably its their LAN IP, so you simply NAT that host to an IP that they provide you.

Thanks & Regards,

Rashid Ghazanfar

CreatePlease to create content