Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Hall of Fame Super Blue

Pix vpn NAT problems

Pix 515E ver 6.3(3).

I am using the pix to act as a vpn headend device for approx 60 sites ( 10 connected at present). For all of the sites connected so far i have been Natting the incoming source ip addresses. ie.

nat (outside) 1 outside

nat (outside) 2 outside

the corresponding global statements have been added

global (inside) 1

global (inside) 2

There is a static command for the server they are accessing and the vpn connections for these sites work fine.

However i just tried to connect a site who did the nat at their end and although the vpn tunnel came up no traffic was leaving the internal interface of the pix destined for the server for that connection. I then added a NAT & global statement for this connection

nat (outside) 3 outside

global (inside) 3

and the remote end could then access the server.

Should i have to do this and if not what am i missing from the config.

Any help would be much appreciated.




Re: Pix vpn NAT problems

The basic rules of PIX:

1) The packets crossing the PIX must satisfy the conditions of ASA (Higher to lower interface flows are explicitly allowed; lower to higher must be prmitted using acces-lists/conduits)


2) The packets must satisfy the conditions of NAT (a mapping must exist or NAT 0 command must be used).

Hall of Fame Super Blue

Re: Pix vpn NAT problems

well yes and no. The pix is acting as a headend device and the traffic is coming to the external interface

for example if i was configuring a site-to-site vpn normally, at the headend i would need a sysopt connection permit-ipsec command, an access-list for the crypto map entry and a static command(s) for the servers the vpn is giving access to. I would not need a nat statement for the source ip addresses as such, just a static mapping for the servers.

Normally you use the nat commands for inside to outside access. This is not what we are dealing with here.

Perhaps because i have explicitly used nat outside statements i need to be explicit also when i don't want to use NAT. I'll test it.

CreatePlease to create content