Pix Nat Setup

Posted on 2005-04-28
Medium Priority
Last Modified: 2013-11-16

I need to setup nat for the inside interface. The inside is and because of vpn site to site I need to translate that address to

I don't even know where to start with this.

Example: if inside host access the vpn I need their address to translate to

Question by:Donnie4572
  • 3
  • 2
LVL 12

Author Comment

ID: 13886516
global (inside) netmask

Is this what I need to do? If yes, how is this applied to the inside interface?    nat (inside) 0  ??

Thanks for any help.


Accepted Solution

pazmanpro earned 2000 total points
ID: 13888858
Not quite. Now i am assuming that the users are also able to browse the web through the PIX, and only when accessing devices on the other side of the network over the VPN that they will be translated. Also, the translation is going from the inside to the outside, that is a host on the inside 10.1.3.X accessing the VPN will be going as 10.1.4.Y to the other end.

What you first have to do is create an access-list defining what network will be translated when accessing what. So

> access-list inside_to_vpn permit ip <ip_nework_over_vpn> <netmask>

Next associate the access-list with a nat pool.

> nat (inside) 5 access-list inside_to_vpn

Now assciate the NAT pool with the pool of IP addresses

> global (outside) 5 netmask

You should then have you nat pools to allow other traffic going the the internet for instance to be translated to the public ip address. That is

global (outside) 10 interface (or other ip pool)
nat (inside) 10 0 0

The ID numbers (5 and 10 in this case) is important as they are matched in order.

Now under normal circumstances, the traffic over a VPN is exempted from NAT, that is, the ip addresses are unchanged. You will have to ensure that these entries are not in there as they matched first before any others. Look for the commands "nat (inside) 0".

Hope this helps.

Expert Comment

ID: 13888873
As a note, the IP translations are not a 1 to 1 matching. That is is not translated to, but translated to the first available ip in the pool, which could possibly
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

LVL 12

Author Comment

ID: 13889299
Thanks for your reply.

You have explained exactly what I need.

The access list for the tunnel does it have to contain the actual address of the host or the translated address or both?
LVL 79

Expert Comment

ID: 13890112
The access-list for the actual tunnel must include the translated addresses (global) as the source, remote network as destination..

  access-list site1_vpn permit ip <remote IP subnet> <mask>

LVL 12

Author Comment

ID: 13890123
Thank You.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question