Re: [fw-wiz] PIX 515 and Cisco VPN client from inside

From: Brian Recore (
Date: 08/29/03

To: Marko Kupiainen <>
Date: Fri, 29 Aug 2003 10:12:48 -0700

Marko Kupiainen wrote:

>Hi everyone
>Im new to the list and apologize if this question being asked before.
>I read through 2003 archives and couldnt find anything similar.
>Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE
>We have users doing VPN tunnels from their homes with Cisco VPN client 4 and
>terminating the tunnels at the PIX. This works great.
>But we cant create tunnels from INSIDE and terminating at other customers
>endpoints. The tunnels are easily created if we work outside our PIX.
>The PIX 515 do PAT for all INSIDE connections using outside interface IP.
>Is there any hooks when doing VPN over PAT with Cisco clients ?
>Marko Kupiainen
>CIO Microcraft AB
>firewall-wizards mailing list
In my experiences you don't want to NAT/PAT the VPN traffic. You do
this by using the command "nat 0" There is other commands with it that
I can't recall but the point is to NAT/PAT all traffic except the VPN
I had to do this a couple of times in the past. It seems IPSec had
problems with the nat traffic.

Here is something from cisco

access-list 101 permit ip
global (outside) 1 netmask
nat (inside) 0 access-list 101
nat (inside) 1 0 0

This configuration will not translate those addresses with a source
address of and a destination address of It
will translate the source address from any traffic initiated from within
the network and destined for anywhere other than into an address from the range -

Hope this leads you in the right direction


firewall-wizards mailing list