Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Natting over IPSec Tunnel in PIX Firewall


We have a PIX 525 FW is IOS Ver. 6.3. We are using a 172.x.x.x network in our LAN. We need to establish a VPN tunnel from our firewall to one of our clients firewall. Our client is ready to allow access to his network only if our private ip address are natted to a public ip range. I would like to know how to configure the NAT and IPSec in this kind of scenario. We have done similar configurations using Checkpoint and it works well there. I tried a couple of configurations for NATting as follows over the IPSec tunnel.

access-list acl_outbound permit ip

nat (inside) 1 access-list acl_outbound

global (outside) 1

In the above configuration 172.16.x.x is my local network and 10.100.x.x is my clients network. When the access-list matches i am natting it to the public ip range. I am specifying the public ip range in my VPN interesting traffic. After i issue this command and save the configurations and when i try to open the PDM i get a message saying "Policy Based NAT is not supported" and the PDM doesnt allow me to do any changes through PDM.

Can somebody let me know how to configure a PIX in this kind of scenario.


G.G. Venkat Raman,



Re: Natting over IPSec Tunnel in PIX Firewall

I think your client is being a bit pedantic, I take it you really want to do a LAN to LAN vpn, which is normal, if he is worried he can control your access by ACLs etc at his end, The VPN endpoints will be the public addresses of your firewalls through which the VPN tunnels flow, Its a bit difficult to see what your client really wants

New Member

Re: Natting over IPSec Tunnel in PIX Firewall

The reason is my client already has a network in 172.x.x.x subnet. Since we are also using the same subnet he wants us to nat and send it in a public ip range so that there is no routing isses.

Re: Natting over IPSec Tunnel in PIX Firewall

Ok,I see. Have you a router in the network that you could do the natting on to some IP address ( preferably a private one) that your client does not have, then send it through the Pix.

CreatePlease login to create content