Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX: NAT in Site to Site VPN


Hopefully someone can confirm this is possible.

I have a PIX 525 running v7.2 and it terminates several Site-To-Site VPNs with other organisations who then use services hosted on a DMZ. That all works fine.

I'm connecting up another organisation who cannot route to private address space down a VPN at their end. That causes a problem, because the address they need to contact down the VPN is a private one.

So is it possible to do a NAT to one of our Internet addresses on the outside of the PIX, but still have them access it over the VPN?

There doesn't seem to be an equivalent config on the Cisco support examples and I've checked the Wiki, but couldn't find anything that matches this scenario.



Hall of Fame Super Blue

Re: PIX: NAT in Site to Site VPN


Yes it is possible although if other companies are accessing the same server in it's private IP address that is going to be problematic.

Assuming it isn't lets say -

ptivate host at your end =

public IP you present it as to remote site -

Your crypto map access-list at your end would be

access-list vpntraffic permit ip host 17216.5.0

ie. the key thing is in your crypto map you need to reference the Natted IP address.


remote site subnet =

New Member

Re: PIX: NAT in Site to Site VPN


Thanks for the response.

Unfortunate other companies do access the private address down the Site-2-Site VPNs. What's the problematic bit?

So the NAT would be as normal? We already have this in place as one particular organisation accesses it using a static NAT as the protocol is SSL'ed already - something like:

static (inside,outside) netmask



New Member

Re: PIX: NAT in Site to Site VPN

Chas use this:

access-list ext NAT permit ip host

static (inside,outside) access-list NAT

Your Crypto access-list should be:

access-list ext vpntraffic permit host

Also, note that you need not put the traffic from server to n/w in NONAT access-list that you may have for VPN traffic that is non-nated.