Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT addresses across VPN

I have set up a site-to-site VPN from a PIX runing 7.2(1) to a 3rd Party.

We wish to push traffic behind a PAT address, rather than a simple NAT.

All external traffic hides behind a PAT address (but htis is not the address we want) unless it is statically NATted.

What I need to know is how I would get the PAT to work when the ACL for the normal PAT is permit IP ANY ANY

Hall of Fame Super Blue

Re: PAT addresses across VPN


Do you need to use an acl for the normal PAT. If not you could just use an acl for your VPN NAT. If you do need to use PAT you will need to modify the existing acl. So

your private network -

the remote VPN network you are trying to reach -

You PAT all addresses to

You want to use for the VPN traffic.

So assuming you have something like this in your config as you are using an acl for NAT/PAT

access-list 101 permit ip any any

nat (inside) 1 accesss-list 101

global (outside) 1

you need to make the following modifications

access-list 101 deny ip

access-list 101 permit ip any any

access-list 102 permit ip

nat (inside) 2 access-list 102

global (outside) 2


New Member

Re: PAT addresses across VPN


Thank you for your response.

Unfortunately this is not the correct solution. However I have resolved the issue.

Removing and trying to reapply ACL 101 produced the evidence to support a memory I had but wasn't 100% sure about.

The ACL used for this control cannot have a deny statement in it. (The pix rejects it as an error - although it didn't when I added the rule to the pre-existing ACL).

The solution was to remove ACL 101 create ACL 102 and the associated PAT condition. Then reapply ACL 101. and funnily enough it all worked.

Thanks for your assistance.


Hall of Fame Super Blue

Re: PAT addresses across VPN


From memory i thought i had done this but perhaps i was thinking of it on a router rather than a pix.

Apologies for providing an incorrect answer and thanks for coming back with your solution. I have rated the post.