how to create vpn between 2 firewalls, when I have in the middle, a Cisco 837 with nat????

Posted on 2009-07-11
Medium Priority
Last Modified: 2012-08-13
Hi there:

I want to create a IPSec VPN between two PIX ver 6.3, but in the middle I have a cisco 831 ADSL router just with 1 Homologated IP.

I had implemented NAT overload on the router.

I think we need to configure NAT-T, but the question here is how can be this configuration implemented???

Please i you can help me.

Question by:1ktw08
  • 3

Expert Comment

ID: 24830991
That can be done.  When the VPN packets come in and hit the outside of the DSL router, then you need to port forward (or static nat) those packets to the PIX on the inside.  With NAT traversal turned on for the VPN at the endpoints, then it should work.

Author Comment

ID: 24831493
Ok. Now, applying port forwarding on router ADSL, Remote Office can not access Internet (It suppose that I need to access Internet not using Tunnel, but directly from the router.

This scenario can be implemented too???

Where do I need to activate NAT-T, on bot PIX devices, or on the router????

Expert Comment

ID: 24832979

You need to enable NAT traversal on both endpoints as brasslan said: I think the is "isakmp nat-traversal".

Hope this helps

Accepted Solution

1ktw08 earned 0 total points
ID: 24859541
Sorry, I can not establish yet the connectivity between both PIX with CISCO DSL - NAT router in the middle.

I can see from the Inside, the PIX is trying to connect to the remote PIX (located in the outside: In this case, How the remote PIX needs to be configured in order to reach inside PIX. In specific, the configuration of the Transform-set Peer, which must be the IP address that I need to configure, is the DSL outside IP from the router (, or the Inside local IP for the PIX located on the inside (10,16,17.146)???


I have on the PIX located in the Inside, this configuration:

crypto map koamap 10 set peer

isakmp nat-traversal
isakmp enable outside
isakmp key ******* address netmask


Author Comment

ID: 24864149
Any idea about this question???'


Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question