Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

is VPN throw nat possible?


I will have a small pix 501, we have yet a none cisco adsl router.

I was wondering, if I configure vpn-to-vpn (cisco to nortel) from the pix, will it work if I have only one public address on ADSL outside interface?

So will it work if the esp traffic is nated to the outside interface?

Many thanks.



Re: is VPN throw nat possible?

www <--> adsl router <--> pix501 <--> inside subnet

re-configure the adsl router from running router-mode to bridge-mode, then configure pppoe on the pix if isp authentication is required.

with this scenario, the public ip will be assigned directly on the pix outside interface, and the router will act as a dump adsl signal "handler". thus, you don't have to worry about the complication of nat, firewall rule etc.

Re: is VPN throw nat possible?

Hi and many thanks for your advice,

Another point, in the case I need to keep a DMZ between the adsl and the pix,

inside subnet --- (PIX 501)

---------------------------------- (ADSL) -- INTERNET

DMZ Subnet(private subnet)

Can I still use PPPoe?

The customer has now a cheap zyxel router (should change), do you think it is also possible with it to configure it as a bridge?

Last point... Do you have any configuration example?

Many thanks.



Re: is VPN throw nat possible?

it's not feasible to configure pppoe on the pix with the posted scenario.

the reason being with the pppoe configured on the pix, the router will have no ip address at all and runs as a bridge. the only function of the router is then to translate the dsl signal. without a layer 3 device in front of the dmz, host will not be able to connect to the internet.

i suggest a purchase of cisco router, such as 837/877, replacing the existing adsl router.

www <--> 837/877 <--dmz--> pix <--> inside

837/877 router is capable to handle adsl, firewalling, and vpn. thus the segment between the roter and the pix can be used as a dmz; whereas the pix can be used to secure the inside subnet.

further, the primary advantage of 877 over 837 is the wireless capability.

nonetheless, below are the codes for configuring pppoe on pix:

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname

vpdn group pppoe_group ppp authentication chap

vpdn username password

ip address outside pppoe setroute

Re: is VPN throw nat possible?


Many thanks.