• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

Pix Nat Setup


I need to setup nat for the inside interface. The inside is and because of vpn site to site I need to translate that address to

I don't even know where to start with this.

Example: if inside host access the vpn I need their address to translate to

  • 3
  • 2
1 Solution
Donnie4572Author Commented:
global (inside) netmask

Is this what I need to do? If yes, how is this applied to the inside interface?    nat (inside) 0  ??

Thanks for any help.

Not quite. Now i am assuming that the users are also able to browse the web through the PIX, and only when accessing devices on the other side of the network over the VPN that they will be translated. Also, the translation is going from the inside to the outside, that is a host on the inside 10.1.3.X accessing the VPN will be going as 10.1.4.Y to the other end.

What you first have to do is create an access-list defining what network will be translated when accessing what. So

> access-list inside_to_vpn permit ip <ip_nework_over_vpn> <netmask>

Next associate the access-list with a nat pool.

> nat (inside) 5 access-list inside_to_vpn

Now assciate the NAT pool with the pool of IP addresses

> global (outside) 5 netmask

You should then have you nat pools to allow other traffic going the the internet for instance to be translated to the public ip address. That is

global (outside) 10 interface (or other ip pool)
nat (inside) 10 0 0

The ID numbers (5 and 10 in this case) is important as they are matched in order.

Now under normal circumstances, the traffic over a VPN is exempted from NAT, that is, the ip addresses are unchanged. You will have to ensure that these entries are not in there as they matched first before any others. Look for the commands "nat (inside) 0".

Hope this helps.
As a note, the IP translations are not a 1 to 1 matching. That is is not translated to, but translated to the first available ip in the pool, which could possibly
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Donnie4572Author Commented:
Thanks for your reply.

You have explained exactly what I need.

The access list for the tunnel does it have to contain the actual address of the host or the translated address or both?
The access-list for the actual tunnel must include the translated addresses (global) as the source, remote network as destination..

  access-list site1_vpn permit ip <remote IP subnet> <mask>

Donnie4572Author Commented:
Thank You.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now