Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX NAT and IPsec

I have a PIX that has statically translated IPs for servers. For example, say the outside IP of a server is and the inside is I also have an IPSec tunnel with some vendors that can build a tunnel with my PIX for the network.

Is there any way I can build a tunnel with them for IPs? In other words, their requirement is to establish a tunnel for public IPs, which means that they want to have my PIX as a peer, but route anything going to through the tunnel. Sort of like PIX would first strip down the tunnel and then translate the IP addresses.

Would that work? Or do I have to move the VPN functionality to a device in front of PIX?

Thank you,


Cisco Employee

Re: PIX NAT and IPsec

You can create a tunnel based on the public ip address of your host, so the pix accepts the ipsec traffic and then decrypt it and then translates it back to the inside ip addr of the host. Make sure though that you exclude the PIX outside interface from your crypto acl if the host on the public side is within the same subnet as the PIX outside interface.