Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT and Site-to-site VPN

Hi all,

We have currently a PIX in our LAN. There is a Site-to site VPN tunnel between this PIX and an other network in a foreign country.

We have several networks in our LAN.

The tunnel VPN concerns one network : / 24.

and the network in the other site is : /21

A part of the configuration:

access-list inside_nat0_outbound permit ip

nat (inside) 0 access-list inside_nat0_outbound

As i said before, we have several networks.

In particular, we have /24 too.

And we would like that this network can use the tunnel VPN too.

But, the other site doesn't want to route our other network in their LAN.

They suggest us to NAT from / 24 to an IP address on the / 24, so users in network / 24 can use the VPN tunnel too.

Do you know if it's possible to do that with my PIX? And how?

It's a PIX-515-DMZ, v6.3(5).

Any help would be much appreciated!



Accepted Solutions

Re: NAT and Site-to-site VPN

Good point. You may be fine then.


Re: NAT and Site-to-site VPN

This is possible via policy nat but there is a caveat. You can nat all hosts on your to an available address on your network. But they will not be able to elicit connections from the other side to these translated hosts.

Check out this guide:


New Member

Re: NAT and Site-to-site VPN


Thanks you for your answer but I have a doubt on how to configure the policy nat...

I think about something like that:

access-list NET1 permit ip

nat (inside) 11 access-list NET1

global (outside) 11

But I wonder if this configuration is OK.. can the IP address (which is an available address on my inside network) be configured as a global address on the outside Interface ?

Thanks you by advance for your help!

Best wishes


Re: NAT and Site-to-site VPN

You are right on. Only thing is that you have to make sure this nat 11 occurs before any other nat that might also include the source address that you want to policy nat. For example, if you have a config like:

nat (inside) 1

global (outside) 1 interface

(This is very common)

Then your policy nat won't work because it would match the nat 1 before nat 11. So if you have such a scenario you will have to move things around a bit. As always when working on nat config, you will want to clear xlate after making the changes.


New Member

Re: NAT and Site-to-site VPN

Indeed, I have the two lines:

nat (inside) 1 0 0

global (outside) 1 interface

However, are you sure that PIX will match the nat 1 before nat 11?

In the documentation of PIX 7.0, I read:

Order of NAT Commands Used to Match Real Addresses:

1. NAT exemption (nat 0 access-list)

2. Static NAT and Static PAT (regular and policy) (static)

3. Policy dynamic NAT (nat access-list)

4. Regular dynamic NAT (nat)

My PIX has version 6. But maybe it's the same?

Thanks you again for your help,


Re: NAT and Site-to-site VPN

Good point. You may be fine then.

New Member

Re: NAT and Site-to-site VPN

ok, I will try this configuration.

Thanks you again for your help!

CreatePlease login to create content