Cisco PIX Site to Site VPN using NAT on internal addresses

Posted on 2005-04-07
Medium Priority
Last Modified: 2013-11-16
Cisco PIX Site to Site VPN using NAT on internal addresses

I am setting up a VPN connection to a customer that uses Checkpoint Firewall.

They (the customer running Checkpoint) already have a VPN connection to another customer who uses our internal address (

I would like to setup our VPN like this:

Our internal address address range  ----------> NAT to 172.x.x.x over a VPN tunnel to their site.

We already have several VPN's on our firewall.  So I will probably only need to setup a crypto map xx......

We are using a PIX515E.

Can someone supply me with the commands to accomplish this.
Question by:Joesmail
  • 2
  • 2
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 13725820
Here's a good reference:

Where that document shows an acl "nonat" "Do not perform nat on this traffic", use the exact same syntax for the access-list, but don't apply it to nat (inside) 0
Instead, do something like this, with a different private IP address:

 access-list 101 permit ip 172.x.x.0 <their internal subnet> <mask>
 access-list to_checkpoint permit ip <their internal subnet> <mask>
 global (outside) 3 172.x.x.1 172.x.x.254 netmask
 nat (inside) 3 access-list to_checkpoint

The rest of the crypto commands apply as they are.
LVL 10

Author Comment

ID: 13733204
Thanks Irmoore.

I will give it ago as soon as my overseas customer gets back to me.
LVL 10

Author Comment

ID: 13760191
You are brillant!

Code works perfectly.

One other question and its not that important.

I can't use the PDM anymore because it is saying it dosen't support NAT using acl's.  Only in MONITOR mode...

Is their any way around this, it dosen't matter if I have to use the command line from now on, just a pain for small tasks.


LVL 79

Expert Comment

ID: 13761746
You might have to upgrade the OS to 6.3(4) and PDM 3.02 to support this feature.

Glad it worked for you!

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question