Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Help required

I have a situation where I need to setup a VPN L2L tunnel. The peer is using Checkpoint NG and I am using a PIX 515 (Code: 6.2(2))

Now my problem is the following:

The peer (Checkpoint end) needs us to 'hide' our LAN address (our LAN address is on a 10.x.x.x subnet) so that it can communicate with their internal LAN. The Checkpoint side will only allow us to communicate with them if we 'hide' our LAN side IP address.

Now my question is:

How can I setup the VPN tunnel so that when traffic goes out from my LAN to the Checkpoint it gets NAT'ed to a internet routable IP (which I have).

I hope the above explanation is clear but if you require further information then please let me know.

Any help/advice on this will be very much appreciated, I would really be grateful if someone can post configuration examples

Many thanks.


Re: VPN Help required

YOu can do this..

you need to first nat the IP on the PIX with an IP address .. infact PAT it... config will be something like one below:

nat (inside) 1

global (outside) 1

when configuring IPSEC crypto ACLs, you need to give the source IP as for triggering the interesting traffic.. this is possible, because NAT happens before encryption... similarly, on the other end, you need to give the destination IP subnet as ...

hope this solves your query... rate replies if found useful...


Community Member

Re: VPN Help required

Hi Raj - thanks for reply.

I'm sorry but I don't get it! I already have on my PIX:

nat (inside) 1 0 0

global (outside) 1 interface

I already have site-to-site VPN to other customers but this one customer requires that I hide our internal LAN IP when connecting to their network and to use an internet routable address, i.e. I must NAT!

How do I achive this VPN??

I'm slightly stuck on this so any help would be very much appreciated. If you could post configuration examples then this would help.

Many thanks in advance.

Community Member

Re: VPN Help required


As sachinraja said, you have to NAT your local network to an internet routable address when your local network have to go through this particular VPN tunnel.

You said you already have site-to-site VPN to other customers.

Look in your configuration, you should have these lines:

access-list nat_0_outbound permit ip 10.X.X.0 255.255.X.X

where 10.X.X.0 / 255.255.X.X is your local network and the remote network.

The VPN tunnel with the customer who wants you to hide your IP addresses will look like the same:

access-list NET1 permit ip 10.X.X.X 255.255.X.0

where 10.X.X.0 / 255.255.X.X is your local network and the remote network of this customer.

And you have to add the NAT rules, as Raj indicates:

nat (inside) 11 access-list NET1

global (outside) 11

where is the internet routable address the customer gave you.

Thanks you for giving us update on your case and if it works.

CreatePlease to create content