Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX to Checkpoint VPN with NAT Problem

I am trying to establish a VPN between my PIX box and remote Checkpoint box. My VPN is working fine but the encrypted host on the Checkpoint side is unable to connected to my host my side. I setting up a tunnel between one host on the PIX side and one host the Checkpoint side. The host on the PIX side uses a internal address. The CheckPoint side requires me to use a "real" internet registered address so I had to NAT my internal address. Because of this requirement, I am not doing a NAT 0 for this tunnel. The problem is that when encrypted packets destined for my NATed address arrive on my PIX, it is decrypted on the outside interface and I am unable to translate it to my inside address. When I do a debug for the packet from the remote host to my NATed host, I see that is trying to reach it from the inside interface. Since that address is a NATed address, it does not know how to get there. I had heard somewhere that I had to do a reverse NAT but I am unsure how to do that. Any ideas?

  • Other Security Subjects

Re: PIX to Checkpoint VPN with NAT Problem

As of PIX OS version 6.2, the nat and global commands are no more restricted to the inside and the outside interface respectively. That means, the nat command can be applied on the outside interface. This is called bidirectional NAT. The NAT, PAT and static commands are all available bidirectionally.

In addition, you should probably have a look at the document 'Configuring an IPSec Tunnel through a Firewall with NAT' which is available at

New Member

Re: PIX to Checkpoint VPN with NAT Problem

The problem is that I am unable to do a reverse map from the outside interface because after the VPN is encrypted, the packet winds up on the inside interface. Now you have a packet that is destined for a NATed address on the inside interface. I can't do a statict (outside, inside) because the outside interface does not see the packet. I can't do a static (inside, outside) because I am not going to the outside interface, I am going to the inside interface. I would something that like an alias command that would redirect the packet but I tried it and does not work. Maybe I did it wrong. I tried doing "alias (inside) "inside address" "Nated address" mask. My hope was that the inside address would see that I was destined for this Nated outside address and redirect it to the inside address. I am wondering if there is an issue with routing in this case.