Cisco Support Community
Community Member

Policy NAT over VPN

Pix 525, OS 7.2(3)

I am trying to do the following:

Inside FTP-server

Outside NAT-address:

Remote Network:

VPN connection from remote network to outside NAT-adress that should be redirected to inside FTP-server.

I am trying to use the static command like this:

access-list Crypto_map extended permit ip host

access-list FTP_OVER_VPN extended permit IP host

static (inside,outside) access-list FTP_OVER_VPN

The translation just don't work. Are there any better way to do this? I need to use Policy-NAt since i do not want the FTP-server to use the translated address any other time than over the VPN-tunnel.

Community Member

Re: Policy NAT over VPN

I have a similar scenario but in my case I'm specifying the service:

My ssh server:

NATted IP:

access-list 112 permit tcp host eq ssh object-group EDS_NETS

static (DMZ,outside) tcp ssh access-list 112 0 0

In this case my DMZ network overlapped with another vlan in their side so I natted my host. I am not sure if it is necessary to specify the service to work. Have you checked that you do not have other static matching the host before the policy-based static rule?

CreatePlease to create content