Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


Hello, I'm having this issue for quite a few days now.

I have a Cisco PIX 6.3.3, which currently has a VPN tunnel to another PIX. I have quite a few local networks behind my PIX, let's say for example

The people from the other side of the tunnel only want to see the network /24, so I have NAT configured to translate the traffic that goes to the tunnel. I've used policy NAT (nat with an ACL).

The thing is that when a server from the local network accesses the VPN first, it does not NAT ever again. I mean, it remains with the translated IP, for example, but does not NAT with the outside interface to access the Internet.

Here's a glimpse of the configuration:

global (outside) 14 netmask
global (outside) 1 interface

nat (inside) 14 access-list VPN
nat (inside) 1

access-list VPN permit ip VPN-Network

I have read about the NAT priorities and in theory they are OK, but still don't work.

Any ideas?

Everyone's tags (3)
New Member

Re: PIX and VPN + NAT

Instead of using nat-global (unless you want to PAT your traffic) for both translations, you should use static for the VPN translation.  As you only have /24 network in your inside network you should restrict your VPN ACL to match specific traffic.

Try changing your configuration so it looks like this:

access-list VPN permit ip VPN-Network
static(inside,outside) access-list VPN
nat (inside) 1
global (outside) 1 interface

You can try into that.

- Yamil