Re: [fw-wiz] Pix to Pix VPN IPSec w/ PAT

From: John Adams (
Date: 03/24/03

  • Next message: Robert E. Martin: "[fw-wiz] two networks same proxy server"
    From: John Adams <>
    To: Paul Matuszewski <>
    Date: Mon, 24 Mar 2003 12:45:30 -0800 (PST)

    On Sun, 23 Mar 2003, Paul Matuszewski wrote:

    > Hey all.. newbie to the list here.. but I have a question for you all.
    > I've looked everywhere, and my cisco rep has yet to get back to me..
    > Is it possible to perform a CISCO pix501 to pix501 VPN w/ IPSec while still
    > utilizing PAT. The scenario is = Business Cable Modem to Business Cable
    > Modem... thoughts?

    If you mean running a PAT to the outside world while maintaining the
    internal (RFC1918) addressing between the two locations, this is
    entirely possible.

    Let's say the two networks are and

    Location 1) (the one with the network)

    # first create the access lists for the VPN:
    access-list 10 permit ip

    # You'll have to ensure that you're not natting users through the VPN:
    access-list nonat permit ip

    # Set up your PAT (replace x.x.x.x with your outside PAT address)
    global (outside) 1 x.x.x.x
    nat (inside) 0 access-list nonat
    nat (inside) 1 0 0

    # build your vpn, replace y.y.y.y with your peer's address

    crypto ipsec transform-set regular esp-des esp-sha-hmac
    crypto map VPN 10 ipsec-isakmp
    crypto map VPN 10 match address 10
    crypto map VPN 10 set peer y.y.y.y
    crypto map VPN 10 set transform-set regular
    isakmp key <your key goes here> address y.y.y.y netmask
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    sysopt connection permit-ipsec

    # always apply the maps last.
    isakmp enable outside
    crypto map VPN interface outside

    Now, invert the access lists for the remote site, and it'll work.


    J. Adams
    The secret of knowing where you are, is knowing what time it is. -- Anonymous
    firewall-wizards mailing list

  • Next message: Robert E. Martin: "[fw-wiz] two networks same proxy server"