Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX NAT prior to IPsec Pt to Pt tunnel

I have a situation where I would like to perform the NAT/PAT process on addresses going through a PIX that are going to traverse a point to point IPSEC tunnel.

The reason that I want to do this is because the source subnet that I am originating my Point to point tunnel from ( for example) already exists on the destination network(s) across the point to point tunnel. This subnet is a routed subnet on the destination of my point to point tunnel. I believe that my sessions would get routed and never return back to me.

Is it possible to perform NAT/PAT prior to sending IPSEC sessions with original addresses across the point to point tunnel ?

Any insight is greatly appreciated ....


Re: PIX NAT prior to IPsec Pt to Pt tunnel


Yeah, its possible.

Only thing to make sure is crypto ACLs, they should be based on IP address(es) after NAT/PATing, so that they match the crypto ACL, and get encrypted.

offcourse, other side should encrypt traffic for the symmetrical ACL.



New Member

Re: PIX NAT prior to IPsec Pt to Pt tunnel


Thanks for the response.

I am trying to clarify your answer.

Is this possible in the same PIX ?

Can I perform both the NAT/PAT on internal LAN addresses and then set up an IPSec tunnel in the same PIX or are you suggesting that the NAT/PAT process takes place external to the PIX in question ?

I am trying to avoid having to place another box in front of the PIX to perform the NAT/PAT process.