Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

pix and cisco concentrator vpn problem

Dear All,

I need to setup the vpn tunnel between 2 sites.One site has the concentrator another site has the pix 515E.The site engineer from the concentrator side given the below details to configure the pix in my site.

Concentrator site Tunel ip : 168.x.x10

Phase-1 Setting

Phase 2 settings

Key id

I prefered the both crypto map and isakmp policy then applied it to the firewall and tested found that no tunnel establishment.

They mainly accessing our server with

They want me to translate this ip then do the vpn tunnel config. I confused and come to netpro to get your help.

Please tell me how can i do the tunnel with one site (remote) legal ip address subnet (168.x.x.0/24) and my site rfc 1819 address ( the ip address to be translated first before the ip sec config.

Now i have to solve the problem asas.

Please help me.



Re: pix and cisco concentrator vpn problem

Here is basic example on LAN-to-LAN vpn between PIX and vpn concentrator.


Community Member

Re: pix and cisco concentrator vpn problem


In real config, the remote admin ask me not to do the anting. So i translated the local server to the loval legal ip given by ISP then the legal ip i made the crypo acl.Now i need to proceed further to finish the config.



Community Member

Re: pix and cisco concentrator vpn problem

Your crypto access-list needs to specify the NAT'ed IP address(es) going to the remote site 168.x.x.0/24 network. You're going to need to NAT the appropriate traffic using policy NAT - nat (inside) 1 access-list NAT-TO-VPN3000.

access-list NAT-TO-VPN3000 permit ip host 168.x.x.0 255.255.x.x

Basically, you want to NAT prior to encrypting your VPN traffic. Your crypto ACL must be an exactly mirror of the remote side

Community Member

Re: pix and cisco concentrator vpn problem



Here the remote engr asked me not to do the nat.

so i did the static (inside,outside) 193.188.x.13 netmask

then in crypto acl

access-list ul_vpn permit host 193.188.x.13 168.x.x.0

crypto map vpn 140 address ul_vpn

I left is ur solu of policy nat.

tell me if i do the nat (inside)1 acl then it would use global outside of pix outside address.please explain bit more.

Really it is helpful to me.

please i need to know bit more


Community Member

Re: pix and cisco concentrator vpn problem

I'm confused about what the vpn requirements are. If the remote engineer doesn't want you to NAT the host then you create an ACL and NAT statement like the ones below.

access-list NO-NAT-ACL permit ip host 168.x.x.0

nat (inside) 0 access-list NO-NAT-ACL

CreatePlease to create content