Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

VPN - Router to Router , PIX in the middle


When I do a tunnel from one router to another and there's a pix between them, The connection use NAT-T. I've configure inbound ACL to permit isakmp and esp and I did a static translation.

I am forced to use NAT-T when going tru a pix. How do I configure the pix if I want packet to use esp.

New Member

Re: VPN - Router to Router , PIX in the middle

hi buddy it's very simple to have vpn tunnel between 2 router withn pix in between without using NAT-T.

i hope u are using tunnel mode.

in the pix do a nat (0) from the source ip of the router in the inside to the destination ip of the router outside. and on the outside of the pix configure a access-list permitting traffic from the outside router ip address to the inside router ip address. that's it u don't have to configure any nat-t or any specific acl for isakmp and esp.

here the ip address i am referring the to the vpn peer ip address of the inside and the outside routers.

i am sure it will work. if u need any more help. do write back .

see ya



Re: VPN - Router to Router , PIX in the middle

Hi Sebastian ... is not as simple as that ... because is most likely that one of the routers is located on the Internet .. meaning it probably has a routable public address in which case it is necessary to have static nat. NAT-T needs to be configured on the devices terminating the VPN and the PIX needs to be configured to allow the IPsec traffic between the two peers ( routers ).

On the PIX ( inside network ) configure

static (inside,outside) netmask

You can filter the protocols you need i.e UDP 500, 50, 51 etc using an access-list applied to the inside interface

access-list inside-out permit udp host host eq isakmp




access-group inside-out in interface inside

access-list outside-in permit udp host host eq isakmp




access-group outside-in in interface outside

I hope it helps ... Please rate it if it does !!!