Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Policy NAT

Is there anyone who worked with the Policy NAT on PIX 6.3 (2) ?

I have a scenario where a central PIX vpn a remote site PIX .

I want to translate Remote site inside private addresses because they

conflict with another remote site.

So i want the Remote PIX to translate to a private pool for establishing the

vpn , and translate to the public outside interface address for internet

access. CentralPIX ----- 206.x.x.58 RemotePIX xlate

Remote PIX config

access-list nonatvpn permit ip

global (outside) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0 0

static (inside,outside) access-list nonatvpn 0 0

Test 1 - ping internet


PAT Global 206.x.x.58(1) Local ICMP id 512

Test 2 - ping vpn ( while ping internet is still running )

replies but ping on internet stop responding

Global Local

So it works but not simultaneously . Is this the normal behavior of that

functionnality or did i miss something. I would like to have both access

at the same time.



Re: PIX Policy NAT

The problem of overlapping address space can be solved using enhanced NAT/ bi-directional nat, which allows to to apply the NAT and global commands to the outside and inside interfaces respectively. The earlier restriction wrt placement of these commands are not valid any more. You could also see a related document at