[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 466
  • Last Modified:

Two NAT 0 statements or equivalent needed on a single PIX 6.3.(5) being used as a hub in site to site

I have 3 506Es that form a hub with 2 spokes. I do not want the two tunnels going into the hub NAT'd . The Second NAT 0 overwirites the first. I need two separate access lists 1 for each tunnel and I have tried 192.168.x.x 255.255.0.0 as the test to not NAT which works but kills the internet. Please help as I have been working all day on this and am wondering how Cisco sold these firewalls if they can not do 2 tunnels in a hub and spoke which is what telecommuters use all the time.
1st 192.168.1.0
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 102

NAT (inside) 0 access-list 101
NAT (inside) 0 access-list 102

Leaves NAT (inside) 0 access-list 102 only
NAT (inside) 0 192.168.0.0 255.255.0.0 leaves no internet access

2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101

Does not allow for matching the ipsec tunnel to a specific access list

How do you get around this ? Surely PIX would have not sold have as much if you were limited to 1 remote user at a time in a site to site config ?

Thanks in advance
0
Davidloc
Asked:
Davidloc
  • 3
  • 2
1 Solution
 
geergonCommented:
Hey my friend do not misunderstand but at the very early years of the PIX it was considered as a NAT device more than a Firewall. The main purpose of the PIX was to handle NAT very well.

Right now are you sure that you are using the correct nat rules?
Do you Know what is the Nat order of operation that the PIX uses?
Do you know what is nat 0 all about?

Can you explain better what are you trying to accomplish?
0
 
DavidlocAuthor Commented:
I was trying to figure out a way to add access lists to the no nat list (NAT 0) but you can't apparently and you have to define all your addresses in one ACL that you then use agains't your NAT 0 rule. I like the ASA's much better , they are much more intuitive.
0
 
gavvingCommented:
You configure all your NAT0 requirements in one ACL and reference that.

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat

That should work fine on 6.3, I used that config setup for years.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
DavidlocAuthor Commented:
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101

Does not allow for matching the ipsec tunnel to a specific access list


Was the problem with this , I eventually figured out t use 2 access lists for same IPs one for the NAT rules and the other for the tunnel:

IP 1 = access-list 1
IP2 = access-list 2
IP1 =access-list 3
IP2 = access-list 3

NAT 0 access-list 3
IPSEC MAPA  match access-list 1
IPSEC MAP B match access-list 2

A little convoluted but it works
0
 
DavidlocAuthor Commented:
See explaination in next comment
0
 
gavvingCommented:
Yes your correct.  You should always use different ACLs for NAT rules and IPSec tunnels.  Some old Cisco examples show using the same ACL, and it will work for very basic configs, but once you start having multiple tunnels, it does not work.  Thus I always use seperate ACLs for NAT0 and for the IPsec tunnel.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now