Cisco Support Community
Community Member

VPN client passthrough problem

I have what I think is a simple scenario but I can't find a way to implement a solution.

I have the following:

VPN Clients<->CiscoPix506e<->Cisco3000

The VPN clients run a IPSEC VPN to the Cisco PIX 506e and can access it's "internal network" just fine.

The Cisco pix runs a VPN to another company where all network traffic is nat'ed to a single RFC1918 IP address before going out of the tunnel (requirement of the other company to avoid address overlap issues)

and everyone on the "internal network" can access that VPN just fine.

I want people using the VPN client to be able to access the other VPN. I think that the forced NAT to the external company VPN is a problem.

All examples for VPN to VPN transversal I see specify that NAT must be disabled along the entire path. I can't do that in this situation. Is it possible to make this work?

I'm guessing with one good ACL statement all my problems will be solved.

I've attached a PDF example network diagram to help explain the situation.

Networks Address' of each are the following (real address's change to protect the innocent :) ):


Internal Network

External VPN End point

Address used for NAT on VPN

relevant IOS config

ip local pool VPN-CLIENTS

access-list inside permit ip any any

access-list NONAT permit ip

access-list EXTERNAL-ACL-VPN permit ip host

access-list EXTERNAL-ACL-NAT permit ip

ip address outside a.b.c.d

ip address inside

global (outside) 2 interface

global (outside) 1

nat (inside) 0 access-list NONAT

nat (inside) 1 access-list EXTERNAL-ACL-NAT 0 0

nat (inside) 2 0 0

access-group outside in interface outside

route outside a.b.c.d 1


Re: VPN client passthrough problem

Just a quick question and correct me if I'm mis-understanding your post.

Why can't your VPN client users just connect directly to the c3000 concentrator to access the external company??


Re: VPN client passthrough problem

Community Member

Re: VPN client passthrough problem

Mainly for cost, maintenance, and speed of deployment, reasons. The staff connecting are using xauth and tokens (authing off an internal radius server) to log in. That functionalty and level of control isn't available through the "external vpn" company.

Staff currently have to RDP into the company's internal network, and then launch a browser (inside their RDP session) to access the external VPN applications. I would prefer a more seamless experience for the end user.

My desired solution would mean the end user only needed one VPN session that would allow access to the internal network and external VPN at the same time. Slighter easier user experience.

CreatePlease to create content