Configuring NAT and NAT 0
Traffic from the TACACS+ server destined for 192.168.120.120 needs to be encrypted and
sent through the IPSec tunnel without translation. Traffic to the Internet (from the TACACS+
NOTE The optional keyword token when specified informs the Security Appliance that
the AAA server uses a token-card system and to thus prompt the user for a username and
password during the IKE authentication.
192.168.120.120
Outside
192.168.10.10
Internet
Inside
10.10.10.5
TACACS+
Encrypted Server
Traffic
416 Chapter 14: Configuring Access VPNs
server), however, needs to be translated (by NAT) but not encrypted. The commands to
perform this configuration are as follows:
pix515a(config)# access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.120.120
255.255.255.255
pix515a(config)# nat (inside) 0 access-list 101
pix515a(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pix515a(config)# global (outside) 1 interface
Traffic that matches access-list 101 is encrypted and sent through the IPSec tunnel to the
remote system. Other traffic is translated (by NAT) and transmitted without encryption out
the same interface.