Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring PIX for multiple Global (outside) NAT pools

Dear all

I'm trying to configure a IPSEC VPN with one of my third party supplier, he does not accept my private IP address to connect to is network so I need to NAT the traffic from my internal network going to his network. How can I configure a nat for ny internal network to use the outside interface ip address when going to the web and use a specific IP address when going to my third party network via the IPSEC VPN.



Cisco Employee

Re: Configuring PIX for multiple Global (outside) NAT pools

You can do this with policy-NAT'ing in 6.3(3) code, see here for details:

Basically what you'd want (assuming is your inside network, and is your suppliers network):

For your Internet connectivity

global (outside) 1 interface

nat (inside) 1

and for your L2L tunnel traffic PAT'ing it to say,

global (outside) 50

nat (inside) 50 access-list l2ltunnel

access-list l2ltunnel permit ip

Policy NAT takes precedence over normal NAT so if the packet is due to go over the L2L tunnel it will be PAT'd to

Keep in mind that NAT also occurs BEFORE encryption, so now all the packets you want to encrypt will be from, so your encryption ACL will have to change to be:

access-list crypto permit ip host

crypto map 10 match address crypto

New Member

Re: Configuring PIX for multiple Global (outside) NAT pools

Thank you for your reply.

This is what I thought we should configure from my research, but I'm using PIX 6.3(3) and try to configure using PDM 3.0(1). I enter similar CLI command and when I try to update the pdm config it comes up with an error and drop me to monitor mode. Any suggestion how I can use the PDM or should I forget about it?


Cisco Employee

Re: Configuring PIX for multiple Global (outside) NAT pools

PDM doesn't currently support Policy-based NAT, it was a special release in 6.3(2) and PDM hasn't quite caught up as yet. For the moment you'll just have to forget using PDM until the next release which should cover it, sorry about that.

New Member

Re: Configuring PIX for multiple Global (outside) NAT pools


Thanks for that.

I thought so. Would I be better to reduce the PDM version so I can still use it for most of the configs but not worry for the VPN and NAT config.

I have another PIX running 6.1 with PDM 1.0. The PDM does not stop working it just let me know which of the cli config it does not understand.

On a different subject.

My 6.1 firewall is using conduits instead of ACL.

Can the conduit to acl conversion tool be 100% trusted.

I will like to upgrade my 6.1 pix to the latest version but I have over 350 conduit rules to convert and I'am worried that the conversion tool will not work 100%



CreatePlease login to create content