Cisco PIX Site to Site VPN using NAT on internal addresses

Posted on 2005-04-07
Last Modified: 2013-11-16
Cisco PIX Site to Site VPN using NAT on internal addresses

I am setting up a VPN connection to a customer that uses Checkpoint Firewall.

They (the customer running Checkpoint) already have a VPN connection to another customer who uses our internal address (

I would like to setup our VPN like this:

Our internal address address range  ----------> NAT to 172.x.x.x over a VPN tunnel to their site.

We already have several VPN's on our firewall.  So I will probably only need to setup a crypto map xx......

We are using a PIX515E.

Can someone supply me with the commands to accomplish this.
Question by:Joesmail
    LVL 79

    Accepted Solution

    Here's a good reference:

    Where that document shows an acl "nonat" "Do not perform nat on this traffic", use the exact same syntax for the access-list, but don't apply it to nat (inside) 0
    Instead, do something like this, with a different private IP address:

     access-list 101 permit ip 172.x.x.0 <their internal subnet> <mask>
     access-list to_checkpoint permit ip <their internal subnet> <mask>
     global (outside) 3 172.x.x.1 172.x.x.254 netmask
     nat (inside) 3 access-list to_checkpoint

    The rest of the crypto commands apply as they are.
    LVL 10

    Author Comment

    Thanks Irmoore.

    I will give it ago as soon as my overseas customer gets back to me.
    LVL 10

    Author Comment

    You are brillant!

    Code works perfectly.

    One other question and its not that important.

    I can't use the PDM anymore because it is saying it dosen't support NAT using acl's.  Only in MONITOR mode...

    Is their any way around this, it dosen't matter if I have to use the command line from now on, just a pain for small tasks.


    LVL 79

    Expert Comment

    You might have to upgrade the OS to 6.3(4) and PDM 3.02 to support this feature.

    Glad it worked for you!

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now