Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX VPN / NAT problem

hi all,

i am trying to configure a vpn setup, where i have configured the crypto map and isakmp configuration but as for the acl and natting problem, i face the following issue.

I want to establish a VPN tunnel from a PIX to another IPSec gateway that the local host IP gets natted as following:

Local Host: This host should be

natted to an IP, say,

Destination host:

Remote Peer:

User from should only be able to access the FTP service on the destination host.

Could someone advise me on the config to be done on the PIX? I know the IKE and IPSec config to be done but how do I handle access-lists and NAT?

Community Member

Re: PIX VPN / NAT problem

hi all,

for those who were unable to understand my question and even for those were about to answer. I have finally completed what i wanted to do. so i thought i should share it.

i did the following:

\\-Define a conditional nat process to nat to, but only if going to destination

access-list conditional_nat permit ip host host

global (outside) 20 x.x.10.2

nat (inside) 20 access-list conditional_nat

\\-Define traffic to be encrypted. This now includes the natted address and not the original host IP

access-list special_vpn permit ip host host

crypto map yourmap match address special_vpn

crypto map yourmap set peer 209.x.x.71

\\-- restrict outbound VPN to only ftp

access-list outbound_restrict permit tcp host host eq ftp

access-list outbound_restrict permit tcp host host eq ftp-data

access-list outbound_restrict deny ip host host

access-list outbound_restrict permit ip any any

access-group outbound_restrict in interface inside

hope this helps to anyone like me.

CreatePlease to create content