Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy NAT on VPN traffic exiting the PIX inside interface

I currently have site to site VPN configured which works fine with the exception of policy NAT.  I want to be able to policy NAT traffic coming out of the VPN tunnel destined for the internal network.  For instance traffic from remote subnet x.x.x.x destined to y.y.y.5 would get NAT'd to the PIX inside interface IP address of y.y.y.1.

I am running Cisco PIX Firewall Version 6.3(5)

Any thoughts would be appreciated.  Thanks!

5 REPLIES

Re: Policy NAT on VPN traffic exiting the PIX inside interface

Hi,

So you want the ASA to decrypt the traffic, then NAT it when going to the internal network.

Don't you have the option to NAT it on the other side of the tunnel?

If not, I believe that with Policy NAT as you mentioned, it should work.

Federico.

New Member

Re: Policy NAT on VPN traffic exiting the PIX inside interface

Hi,

That is correct.  I was hoping to avoid NAT'ing on the other side of the tunnel if at all possible.  In most cases that is exactly what I would do but I have to NAT to an address on the same subnet as the PIX inside interface due to a host network limitation.

Here is the relevant part of the config which is not working:

access-list out-in-nat permit ip any host y.y.y.x

global (inside) 1 interface
nat (outside) 1 access-list out-in-nat 0 0

Re: Policy NAT on VPN traffic exiting the PIX inside interface

Try changing ''any'' from the ACL to the source network or address of the remote site.
Make sure that this traffic is not included in the NAT 0 access-list, because it will take
precedence.

Federico.

New Member

Re: Policy NAT on VPN traffic exiting the PIX inside interface

I tried changing the ACL but it is still not working.  I don't see any hits on the NAT ACL.

Re: Policy NAT on VPN traffic exiting the PIX inside interface

Did you verified that the traffic is not part of the NAT 0 ACL?

Could you post the output of:

sh run nat

sh run access-list

sh run static

Federico.

405
Views
0
Helpful
5
Replies
CreatePlease login to create content