Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

NAT 0 problem with VPN

We have the following problem:

PIX 520 5.3.3

Three interfaces

- outside 10.x.x.x

- dmz 172.16.x.x

- inside 172.17.x.x

VPN termination ( PPTP ) 192.168.100.x

An internal host is published with a static to

External clients which connect via VPN ( PPTP ) should be able to connect to the internal host ( with internal IP ) only to a specific port.

We have configured a NAT 0 for inside and associated to it a access-list wich permit ip to the host .

then we created an access-list applied to the outside wich should permit only the port requested .

The problem is that it seems the outside access list is ignored and all traffic is permitted from VPN client to the internal host

Following part of config

nameif ethernet0 outside security0

nameif token-ring0 inside security100

nameif ethernet1 bondioli security99


name ASSAP



access-list 101 permit ip host ASSAP

access-list from-inside permit ip host ASSAP any

access-list from-inside deny ip any any

access-list from-outside permit icmp any any echo-reply

access-list from-outside permit tcp any host ASSAP-PUB eq 3201

access-list from-outside permit tcp any host ASSAP-PUB eq 3203

access-list from-outside deny ip any any


ip local pool VPN-IP-POOL

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) ASSAP-PUB ASSAP netmask 0 0

access-group from-outside in interface outside

access-group from-inside in interface inside

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local VPN-IP-POOL

vpdn group 1 client authentication local

New Member

Re: NAT 0 problem with VPN


Your access-list from-outside couldn´t match your requirement, because the packet from the vpdn client to the internal server are adressed to the outside adress of the pix. The source adress is the official vpdn client ip address and the destination address is the outside ip address of the pix at the time the packet arrives on the outside interface of the pix. The pix decapsulate the packet and then foreward it out the internal interface.

Your solution is to permit only the wanted return traffic in the from-inside acl.

access-list from-inside permit tcp host ASSAP eq 3201

access-list from-inside permit tcp host ASSAP eq 3203

This should meet your requirements.


Cisco Employee

Re: NAT 0 problem with VPN

Michael ,

thanks for your replay , we'll try your suggestion immediately .

However the configuration we made was based on the example in the cisco documentation

In the command reference of vpdn command there's the example we started from

Cisco Employee

Re: NAT 0 problem with VPN

We tried your tip but got no luck

It seems that when enabling the Nat (inside) 0 access-list ... packets bypasses the acl on the outside interface

CreatePlease to create content