Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 problem

Hi, I have a question....

Is it possible to configure NAT + Vpn?

I read

but i can't understand how it works.

If it is possible can you give me an example of a working configuration?

New Member

Re: PIX 501 problem


We will use internal network 192.168.0.x

We will use other networks as 172.16.x.x

Are you looking to run a point to point VPN or a VPN group? You will need your global range or interface to allow the inside traffic to nat out.

i.e. global (outside) 1 interface (PAT)

or global (outside) 1 x.x.x.x - x.x.x.x (This being a range of IP's)

You will then need to associate the NAT statement with the global

nat (inside) 1 (this will NAT everyone)

or nat (inside) 1 (for a one to one)

For a point to point VPN you will want to configure you CRYPTO MAP and YOUR ISAKMP.

Once this is complete you will need to create you access-list to allow the interesting traffic to traverse the tunnel

i.e. access-list 100 permit ip

and access-list 101 permit ip

You will then need a nat statement as follows. This tells the traffic designated in the access not to NAT but to use the tunnel.

nat (inside) 0 access-list 100

You will apply the second access-list to crypto-map match address 101

i.e. crypto map (map name) 10 match address 101

Lastly you will need to add the crypto map to the interface with

crypto map (mapname) interface outside

Let me know how you are looking to configure your VPN and I can give you more detail.

New Member

Re: PIX 501 problem

This is my conf and don't work....

Result of PIX command: "show crypto isakmp sa"

Total : 1

Embryonic : 1

dst src state pending created

x.x.177.10 x.x.100.50 MM_KEY_EXCH 0 0

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted



fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list inside_access_in permit tcp x.x.10.0 any range ftp-data smtp

access-list inside_access_in permit tcp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in deny udp any range 1 65535 any range 1 65535

access-list outside_access_in permit tcp any host x.x.100.50 eq telnet

access-list outside_access_in permit tcp any host x.x.100.50 eq www

access-list outside_access_in deny tcp any any

access-list 101 permit ip x.x.10.0 x.x.0.0

pager lines 24

logging on

logging trap informational

logging facility 23

logging host inside x.x.10.199

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.100.50

ip address inside x.x.10.25

ip verify reverse-path interface outside

ip audit info action drop

ip audit attack action alarm

pdm location x.x.0.157 inside

pdm logging informational 100

pdm history enable

arp timeout 60

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) tcp interface www x.x.10.199 www netmask 0 0

static (inside,outside) x.x.10.25 x.x.100.50 netmask 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside x.x.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

filter java 80

filter activex 80

http server enable

http x.x.10.0 inside

http x.x.10.157 inside

http x.x.10.35 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

sysopt noproxyarp outside

no sysopt route dnat

crypto ipsec transform-set Alb esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.12.177.10

crypto map transam 1 set transform-set Alb

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address x.12.177.10 netmask

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet x.x.10.157 inside

telnet x.x.10.35 inside

telnet timeout 5

ssh x.x.10.157 inside

ssh timeout 5

dhcpd dns x.94.0.1 x.94.0.2

dhcpd auto_config outside

terminal width 80

Please Help me!

I thank you in advance

Cisco Employee

Re: PIX 501 problem

Config looks OK, we need more information other than "and don't work" to be able to help you though.

What is the other side of this tunnel? Are you absolutely sure it's configured properly with matching Phase 1 and 2 parameters? Can you run "debug cry isa" and "debug cry sa" on this PIX and then try and bring up the tunnel and post the output for us?

New Member

Re: PIX 501 problem

The problem was in the other side of the tunnel!

The conf at this moment work fine.

Thank 's for your help.

CreatePlease login to create content