Two NAT 0 statements or equivalent needed on a single PIX 6.3.(5) being used as a hub in site to site

I have 3 506Es that form a hub with 2 spokes. I do not want the two tunnels going into the hub NAT'd . The Second NAT 0 overwirites the first. I need two separate access lists 1 for each tunnel and I have tried 192.168.x.x 255.255.0.0 as the test to not NAT which works but kills the internet. Please help as I have been working all day on this and am wondering how Cisco sold these firewalls if they can not do 2 tunnels in a hub and spoke which is what telecommuters use all the time.
1st 192.168.1.0
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 102

NAT (inside) 0 access-list 101
NAT (inside) 0 access-list 102

Leaves NAT (inside) 0 access-list 102 only
NAT (inside) 0 192.168.0.0 255.255.0.0 leaves no internet access

2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101

Does not allow for matching the ipsec tunnel to a specific access list

How do you get around this ? Surely PIX would have not sold have as much if you were limited to 1 remote user at a time in a site to site config ?

Thanks in advance
DavidlocAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

geergonCommented:
Hey my friend do not misunderstand but at the very early years of the PIX it was considered as a NAT device more than a Firewall. The main purpose of the PIX was to handle NAT very well.

Right now are you sure that you are using the correct nat rules?
Do you Know what is the Nat order of operation that the PIX uses?
Do you know what is nat 0 all about?

Can you explain better what are you trying to accomplish?
0
DavidlocAuthor Commented:
I was trying to figure out a way to add access lists to the no nat list (NAT 0) but you can't apparently and you have to define all your addresses in one ACL that you then use agains't your NAT 0 rule. I like the ASA's much better , they are much more intuitive.
0
gavvingCommented:
You configure all your NAT0 requirements in one ACL and reference that.

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat

That should work fine on 6.3, I used that config setup for years.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

DavidlocAuthor Commented:
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101

Does not allow for matching the ipsec tunnel to a specific access list


Was the problem with this , I eventually figured out t use 2 access lists for same IPs one for the NAT rules and the other for the tunnel:

IP 1 = access-list 1
IP2 = access-list 2
IP1 =access-list 3
IP2 = access-list 3

NAT 0 access-list 3
IPSEC MAPA  match access-list 1
IPSEC MAP B match access-list 2

A little convoluted but it works
0
DavidlocAuthor Commented:
See explaination in next comment
0
gavvingCommented:
Yes your correct.  You should always use different ACLs for NAT rules and IPSec tunnels.  Some old Cisco examples show using the same ACL, and it will work for very basic configs, but once you start having multiple tunnels, it does not work.  Thus I always use seperate ACLs for NAT0 and for the IPsec tunnel.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.