Hello All,

Can you help me to get this issue fixed.

I have Pix 515 running. 6.3.3

I have 25 public IP addresses & about 40 users using different kinds of VPN clients ( cisco, Checkpoint etc) They may all not be connecting at the same time.

So i want to define a policy NAT based on an access list which distinguishes between VPN traffic & Non-VPN traffic.

The VPN Traffic should be assigned a static NAT & others should be PAT translated.

By this i save on the numbers of Public Ip addresses used & avoid request of additional addresses.

I have tried the following options.

a) Create an Access-list with VPN ports

access-list VPN_ACL permit udp any any eq isakmp

access-list VPN_ACL permit esp any any

access-list VPN_ACL permit gre any any

access-list VPN_ACL permit ah any any

b) Created a NAT POOL for VPN traffic with ID 1

global (outside) 1 xx.xx.xx.1-xx.xx.xx.25 netmask 255.255.255.224

nat (inside) 1 access-list VPN_ACL

c) Created a PAT IP for NoN-VPN traffic with ID 2

global (outside) 2 xx.xx.xx.26

nat (inside) 2 10.0.0.0 255.0.0.0 0 0

Inspite of this the VPN traffic is not getting NATted.

I tried the Static (inside,outside) xx.xx.xx.1-xx.xx.xx.25 VPN_ACl

But the PIX is not accepting this command. I get a message which Says an IP ESP packet cannot be Translated to an IP packet.

Can anybody please help