Showing results for 
Search instead for 
Did you mean: 

Single address NAT to VPN question


I have a VPN created between company A and company B. Company A is hosting a server that company B has access to and all is working as it should.

The PIX at company A is using a static command to translated the inside addess of the server ( to an outside address ( Up to this point company B is initiates all traffic and accesses the server using the outside address of

global (outside) 1 interface

nat (int-dmz) 1 0 0

static (int-dmz,outside) netmask 0 0

The server hosted at company A needs to initiate a connection to various ip addresses at company B. Being that the traffic is initiated on an interface that has a higher security level (int-dmz) than where it needs to go out of (outside), I know I need to use a NAT command and not a static command.

I’m just not sure of how to enter the correct NAT command to have the traffic initiated on be translated to and placed within the VPN back to company B.

Currently, the ACL for encrypted traffic on the PIX at company A is:

access-list 136 permit ip host object-group CompanyB-Nets

access-list 136 permit ip host object-group CompanyB-Nets

access-list 136 permit ip host object-group CompanyB-Nets

Any help is very much appreciated.


7 Replies 7

Jouni Forss


I am not sure if I understood you correcrtly.

You say you want the server at Site A to use the IP address towards the Site B hosts. Also are you sure there is not a typo in the above when you state that Site B hosts are currently using the IP address to reach the server?

From the looks of it that should already happen. When you have a Static NAT configured for a host it overrides most of the other NAT configuration types on the PIX firewall. The only configurations that can override this Static NAT is NAT0 configurations usually.

I imagine your PIX firewall cant use "packet-tracer" command so we cant easily test what NAT rule the traffic would hit with that.

But judging by your above configurations your host should already be using the IP address towards the other site unless there is NAT0 or perhaps Static Policy NAT configured on the PIX what would override that.

Also the crypto ACL that you mention above seems to match the NAT rule so I dont see a problem.

What should happen is that the traffic coming from the host reaches the firewall and gets NATed to After that it will match the L2L VPN rules and should be forwarded through the VPN connection.

- Jouni

Jouni -

Thanks for responding.  You are correct about the typo, should have been

The other NAT statements applied to the dmz interface are...

     nat (int-dmz) 0 access-list 114

     nat (int-dmz) 1 0 0

     nat (int-dmz) 1 0 0

and access-list 114 used in the nat 0 statement is...

     access-list 114 line 1 permit ip

     access-list 114 line 2 permit ip

     access-list 114 line 3 permit ip object-group CompanyC-Hosts

     access-list 114 line 4 deny ip any

While I'm writing this response, I noticed line 4 in the ACL above and think that this may be the root of my problems.

Please correct me if I'm wrong, but I would think that I need the following statement in this ACL...

     access-list 114 line 4 permit ip object-group CompanyB-Hosts

Thanks again for your help.

- Dave


If you configured the ACL line you mention it would mean that NO NAT would be performed for the network when its contacting network CompanyB-Hosts in either direction. It would override the "static" statement for the server.

As I dont know the network or hosts IPs of the Company B I cant say if the NAT0 poses currently any problems for the L2L VPN.

But it seems to me that the "static" NAT IP address is used when the host from Company A connects to Company B through the L2L VPN.

Is the currently a problem that the host is NOT showing to the remote site Company B with the public IP address or what is the problem?

- Jouni

The problem is that it doesn't appear that traffic outbound from is being directed into the tunnel.  Below is a topology drawing of the configuration along with some of the commands from the Pix 515.


What was your PIX firewalls software level at the moment?

- Jouni

Cisco PIX Firewall Version 6.3(3)


Everything I have seen so far would indicate that this should already work.

The bad thing is that the software level is very old and therefore wont support the "packet-tracer" command which would immediately tell us what would happen to the connection initiated from your network.

What is even more strange with this problem is the fact that you say they are already connecting to your server with the public destination IP address through the tunnel. Therefore its even more confusing why it would not work in the other direction.

I dont know if I can do anything about this problem other than maybe look at the complete configuration through and see if anything catches my eye.

I guess we could always check some VPN counters like

show crypto ipsec sa peer x.x.x.x

Where the x.x.x.x is the IP address of the Site B VPN device.

The output should tell us if any traffic is passing between the local and remote

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers