I am trying to establish a VPN between my PIX box and remote Checkpoint box. My VPN is working fine but the encrypted host on the Checkpoint side is unable to connected to my host my side. I setting up a tunnel between one host on the PIX side and one host the Checkpoint side. The host on the PIX side uses a internal address. The CheckPoint side requires me to use a "real" internet registered address so I had to NAT my internal address. Because of this requirement, I am not doing a NAT 0 for this tunnel. The problem is that when encrypted packets destined for my NATed address arrive on my PIX, it is decrypted on the outside interface and I am unable to translate it to my inside address. When I do a debug for the packet from the remote host to my NATed host, I see that is trying to reach it from the inside interface. Since that address is a NATed address, it does not know how to get there. I had heard somewhere that I had to do a reverse NAT but I am unsure how to do that. Any ideas?
As of PIX OS version 6.2, the nat and global commands are no more restricted to the inside and the outside interface respectively. That means, the nat command can be applied on the outside interface. This is called bidirectional NAT. The NAT, PAT and static commands are all available bidirectionally.
In addition, you should probably have a look at the document 'Configuring an IPSec Tunnel through a Firewall with NAT' which is available at
The problem is that I am unable to do a reverse map from the outside interface because after the VPN is encrypted, the packet winds up on the inside interface. Now you have a packet that is destined for a NATed address on the inside interface. I can't do a statict (outside, inside) because the outside interface does not see the packet. I can't do a static (inside, outside) because I am not going to the outside interface, I am going to the inside interface. I would something that like an alias command that would redirect the packet but I tried it and does not work. Maybe I did it wrong. I tried doing "alias (inside) "inside address" "Nated address" mask. My hope was that the inside address would see that I was destined for this Nated outside address and redirect it to the inside address. I am wondering if there is an issue with routing in this case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...