Cisco PIX Site to Site VPN using NAT on internal addresses

Cisco PIX Site to Site VPN using NAT on internal addresses

I am setting up a VPN connection to a customer that uses Checkpoint Firewall.

They (the customer running Checkpoint) already have a VPN connection to another customer who uses our internal address (

I would like to setup our VPN like this:

Our internal address address range  ----------> NAT to 172.x.x.x over a VPN tunnel to their site.

We already have several VPN's on our firewall.  So I will probably only need to setup a crypto map xx......

We are using a PIX515E.

Can someone supply me with the commands to accomplish this.
LVL 10
Who is Participating?
Here's a good reference:

Where that document shows an acl "nonat" "Do not perform nat on this traffic", use the exact same syntax for the access-list, but don't apply it to nat (inside) 0
Instead, do something like this, with a different private IP address:

 access-list 101 permit ip 172.x.x.0 <their internal subnet> <mask>
 access-list to_checkpoint permit ip <their internal subnet> <mask>
 global (outside) 3 172.x.x.1 172.x.x.254 netmask
 nat (inside) 3 access-list to_checkpoint

The rest of the crypto commands apply as they are.
JoesmailAuthor Commented:
Thanks Irmoore.

I will give it ago as soon as my overseas customer gets back to me.
JoesmailAuthor Commented:
You are brillant!

Code works perfectly.

One other question and its not that important.

I can't use the PDM anymore because it is saying it dosen't support NAT using acl's.  Only in MONITOR mode...

Is their any way around this, it dosen't matter if I have to use the command line from now on, just a pain for small tasks.


You might have to upgrade the OS to 6.3(4) and PDM 3.02 to support this feature.

Glad it worked for you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.