Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SIte to site VPN with PIX 515E and NAT before IPSec with access-lists


I want to establish a VPN tunnel from a PIX to a another IPSec gateway

in the following way:

Local network: This network should be natted to a global

IP, say,

Destination host:

Remote Peer:

Users from should only be able to access the FTP service

on the destination host. The local network needs to be natted to a

valid IP address because the remote site security policy does not

permit any communication with invalid/private IP addresses.

The IKE policy for the tunnel would be: HMAC-MD5, 3DES


Would the following config work:

NAT to the global IP

nat (inside) 4

global (outside) 4

Define my interesting traffic:

access-list 115 permit ip host host

Control access to the remote host:

access-list 116 permit tcp host eq ftp access-list 116 permit tcp host eq ftp-data

access-group 116 permit in inside

Define access-list 115 as my interesting traffic:

crypto map map01 2 match address 115

Use ESP-3DES ESP-HMAC-MD5 as my transform-set.



Cisco Employee

Re: SIte to site VPN with PIX 515E and NAT before IPSec with acc

This would work as far as the VPN connectivity is concerned, but it also means that anyone on the network that simply wants to go to the Internet will also be NAT'd to the address. As long as that is a valid address then you should be OK.

You really need/want to NAT this based on both the source and destination of the traffic, but you can't do this with the PIX. If there's a router on the inside of the PIX you could nat this traffic BEFORE it gets to the PIX based on an access-list, then your PIX config would simply say "send anything from going to the FTP server acorss the tunnel".