Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

After Tunnel Ends, Need to NAT and Forward Packets

Hi Everyone:

This is my secon post, desperatlely need to know whether or not what I'm attempting is even possible.

I have a Pix into which both remote access and site-to-site tunnel sessions terminate (via RAN and Outside interfaces).

Users are currently able to access resouces directly connected to the PIX (eg. Servers in the DMZ).

I now want to give said users access to a remote office. For this, I want to forward packets out another interface (call it RAN2) to a IPSEC router that starts a new tunnel across the internet.

The trick is, I want to overload Nat (PAT) all forwarded packets so their source address becomes RAN2's address. This would simplify the crypto ACL on the IPSEC router (and its remote peer) as we wouln't have to contend with multiple address (ip local pools, private LAN addresses from the pix).

I'm challenged on how to configure the NAT global pair in the PIX to effect the nat. Eg. the following doesn't work:

nat (ran) 5 pool_subnet

nat (outside) 5 pool2_subnet 255.255.0 //the pix coughs at this

global (ran2) 5 interface //I've tried with actual IP address as well.

Any assistance would be greately appreciated


Re: After Tunnel Ends, Need to NAT and Forward Packets

Community Member

Re: After Tunnel Ends, Need to NAT and Forward Packets


Thanks for the response. Thats what I eventually ended up doing. Only downside, too many statics...but it works.


CreatePlease to create content