PIX 501: NAT VPN Clients to Inside?

Discussion in 'Cisco' started by Aaron, Apr 24, 2008.

  1. Aaron

    Aaron Guest

    Ok. What I want to do seems quite simple, but whatever I just can't
    quite get the pieces to mesh. I have a pix 501 that I'm trying to
    configure to provide VPN access to our local network for clients
    running the Cisco VPN client 4.x.

    Our network is seperated into VLANS, but uses public IP's for most
    machines. I'll use fake numbers for my examples though. The Outside
    interface has a public IP of This is connected to our
    DMZ VLAN. The "Inside" interface has a public IP of,
    which is connected to a separate VLAN.

    What I want to do is have the VPN clients connect to the outside
    interface, get a private IP (from and then be NAT'd
    (PAT) to the inside interface IP of That way, the
    routing meshes with everything because all the VPN client traffic
    would appear to come from the interface IP of the pix. In all the
    various permutations of configurations I've done, it ends up with the
    client computer connecting, getting a 192.168 address, and then it
    merely passes through the IP un-NAT'd (i.e., the servers on the local
    network see connections coming in from 192.168.2.x). I can make this
    work by adding static routes to direct traffic destined for
    192.168.2.x to the PIX, but I'd rather have it just NAT everything to
    make things cleaner.
    Aaron, Apr 24, 2008
    1. Advertisements

  2. Aaron

    Aaron Guest

    Oh, and my intention is to do this with Split Tunneling so the clients
    don't lose access to their local networks.
    Aaron, Apr 24, 2008
    1. Advertisements

  3. Aaron

    Aaron Guest

    I have this working now, though I'm not sure why or how. :) I added
    a NAT exemption rule for our entire public IP space to the 192.168.2.x
    space and suddenly it started working. o_0 I added this through PDM
    so I'll look closer at the actual "sh run" output to see if I can
    fathom why that change made things work.

    But now I have another question. I'd like to apply access
    restrictions to the VPN clients so I added a deny rule on the outside
    interface to block everything. But it seems that that isn't being
    applied to traffic from VPN clients. If I want to block traffic from
    the 192.168.2.x clients to everything on the 172.46.24.x network (and
    then open up the specific items I want them to have access to) how
    would I go about doing that?
    Aaron, Apr 24, 2008
  4. Aaron

    Darren Guest

    By default the firewall will likely have sysopt configured and as a
    result your VPN's will bypass the ACL feature check.

    Secondly, you say that your NAT exemption rule is allowing all networks
    back to your VPN pool. If so you may want to think about restricting
    this using an ACL and NAT combo. Identify only the networks you want to
    allow in No-NAT back to your clients, anything not identified will be
    denied through the implicit 'deny any' at the end of the ACL.

    Thirdly, I believe that you can apply access-list filters to the VPN
    client tunnel as well. Look at the ASDM remote access VPN options you
    should spot how to do it it's fairly intuitive.


    Darren, Apr 24, 2008
  5. Aaron

    Aaron Guest

    Heh. "Intuitive" and "PIX" are two words I never use in the same
    sentence. I did, however, find the HUGE GLARING check option entitled
    "Bypass access check for all IPSec Traffic". Not sure how I missed it
    as the only way it could have been more obvious is if it had been on
    fire or something.

    I'm still a little fuzzy on the NAT exemption rule. I understand what
    your saying about restricting networks coming BACK to the vpn pool
    addresses (192.168.2.x), but what I'm not following is that it appears
    that I need to have that NAT "exemption" rule in place for the VPN
    clients to be NAT'd to those network hosts. This is counter-intuitive
    to me (see first sentence....:) ) as I would think that if a host was
    on the list to be exempted from NAT it would be...well, exempted.
    Unless Cisco uses some other wacky definition of "exempt".
    Aaron, Apr 25, 2008
  6. Aaron


    Apr 26, 2008
    Likes Received:
    Nat exemption

    Hi All

    I have configured anyconnect SSL vpn using ASDM mode. while configuring this, it gave a message to add a NAT exemption rule. I am not aware how to add this. Please let me know how to configure using command line or ASDM with an example.


    madhav, Apr 26, 2008
  7. Aaron

    Darren Guest

    The bypass ACL chek would normally be checked by default. If you don't
    have it you would need to allow additional ACL entries to permit the
    un-encrypted traffic in.

    As for the NAT exemption, you simply need to create a no-nat access-list
    for the internal networks that you want to allow back to your VPN pool
    range. If you don't the traffic is natted and you won't receive it when
    you VPN in.


    Darren, Apr 27, 2008
  8. Aaron


    Apr 27, 2008
    Likes Received:
    If you need actual CLI commands something like the following should set up the NAT exemption for you:

    access-list nonat permit ip w.w.w.w x.x.x.x y.y.y.y z.z.z.z
    nat ([inside interface name]) 0 access-list nonat

    The only variables are the access-list name, the private networks, and the name of the interface that needs to bypass the NATing.

    For example, if your inside network is and the remote network is and your inside interface was named 'inside' you'd need the following:

    access-list nonat permit ip

    nat (inside) 0 access-list nonat

    This tells the 501 to bypass NATing for traffic leaving the network bound for the network thereby bridging the two private networks without any NATing

    sigideba, Apr 28, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.