• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Pix 506E Site to Site VPN need 3 way no nat for the tunnels

I have 3 sites with one as the hub Site 1 . Site 2 and Site 1. Site 1 has Site 2 and Site 3 connecting directly to it and not in series this is NOT a hairpinning issue. It is a Pix 506E with 6.3 loaded on each with 128 Mb of memory each and each connection is mulitiple bonded T1s. I am trying to get the three sites to have the addresses NAT'd but when I try to use three NAT statements like:

global (inside) 1 interface
access-list 101 permit ip
access-list 102 permit ip
nat (inside) 0 access-list 101
nat (inside) 2 access-list 102
nat (inside) 1 0 0
it changes the second nat to
nat (inside) 2 access-list 102 0 0
and this site no longer sees the hub and cannot ping from the hub

I tried
access-list 102 permit ip
access-list 102 permit ip

which jsut caused the first one to be ignored

Is there a right way to do this ?

Thank you for any help with  this as is has been bothering me for months.

1 Solution
Sorry But I do not understand what are you are trying to accomplish?

Instead of asking what the nat is not working:

Can you explain what are you trying to NAT?

You do not want to use the real IP addresses of the IP scheme of your network, right? that is all about correct?

Using NAT and PAT Statements on the Cisco Secure PIX Firewall
DavidlocAuthor Commented:
3 PIX 506 E firewalls connected in a site to site , hub and spoke configuration. Your answer was in the right direction. The complete answer used one two diffent access lists with each tied to it's own IPSEC policy. The same two interfaces are then both put into a single , separate access list using two "Access list statements. This single access list is used in the NAT 0 statement to avoid the IPSEC tunnel traffic getting NAT'd

This configuration is shown it question # Which is an extension of this question but fairly merits two separate questions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now