Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT Transparency and PIX

What is NAT Transparency, and why doesnt it work with the PIX, are there any work arounds for this?

If I configure a PIX to receive vpn connections from outside, do I need to open any ports or protocols up on the outside interface or should it just work. I believe everything is denied by default?

Best Regards

New Member

Re: NAT Transparency and PIX

I'm not an expert, as I'm still trying to get things dialed in on my PIX, though I think I can help with a few of your questions.

I'm going to guess you are talking about IPSec, as NAT Transparency is not an Issue with PPTP, not sure about L2TP, I think its bundled with IPSec.

NAT Transparency is the ability to terminate an IPSec VPN Connection from a client that is being NATed. Normally IPSec does not allow for modification of the Packet in transmission so that when it arrives at the PIX its unaltered. If your Client is behind a LinkSys or other SOHO router, that router probably does NAT. Converting your Inside IP to a Public IP. That conversion alters that Packet and the PIX sees this and drops the Packet.

In some SOHO routers you can configure it to allow IPSec Pass-through and allow one client on the inside out and not affect the packet. Though it is spotty at best. I have two LinkSys Routers and it works with one and not the other.

As for termination VPN Connections, the Setup of the PIX would depend on the type of VPN you are implementing. PPTP is pretty quick and easy. IPSec was more complicated for me to get going. The issues I've been struggling with are Authentication, Who's doing it and how the PIX communicates to it. The PIX can authenticate users by itself or with RADIUS, IAS, TAC/ACCS+, ACS, Cert Servers, etc.

I’m trying to use a MS CA Server and having issues. )-;

Good Luck…


New Member

Re: NAT Transparency and PIX

Hey Thanks Scott for your input

I guess my confusion is with the PIX and NAT transparency. I guess that if a vpn client is going through a pat/nat device, then the pix will drop the pkt, but if youre doing pix - to - pix, it should work ok .... I think this is right. Please correct me if I am wrong.

With regards to VPN connections, do I need to open anything up on the PIX, if not ... how come ?


New Member

Re: NAT Transparency and PIX

So you setting up PIX to PIX VPN? Then You would not need NAT Transparancy as both of the OUtside Interfaces onthe PIX should be on the Internet. Unless of course you are being NATed by your upstream provider.

For a PIX to PIX VPN you can connect the two together by using IPSEC and Preshared Keys. Its the quickest and most straight forward.

Here is a link on a simple PIX to PIX Config


CreatePlease to create content