Two NAT 0 statements or equivalent needed on a single PIX 6.3.(5) being used as a hub in site to site
I have 3 506Es that form a hub with 2 spokes. I do not want the two tunnels going into the hub NAT'd . The Second NAT 0 overwirites the first. I need two separate access lists 1 for each tunnel and I have tried 192.168.x.x 255.255.0.0 as the test to not NAT which works but kills the internet. Please help as I have been working all day on this and am wondering how Cisco sold these firewalls if they can not do 2 tunnels in a hub and spoke which is what telecommuters use all the time.
1st 192.168.1.0
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 102
NAT (inside) 0 access-list 101
NAT (inside) 0 access-list 102
Leaves NAT (inside) 0 access-list 102 only
NAT (inside) 0 192.168.0.0 255.255.0.0 leaves no internet access
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101
Does not allow for matching the ipsec tunnel to a specific access list
How do you get around this ? Surely PIX would have not sold have as much if you were limited to 1 remote user at a time in a site to site config ?
Thanks in advance
1st 192.168.1.0
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 102
NAT (inside) 0 access-list 101
NAT (inside) 0 access-list 102
Leaves NAT (inside) 0 access-list 102 only
NAT (inside) 0 192.168.0.0 255.255.0.0 leaves no internet access
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101
Does not allow for matching the ipsec tunnel to a specific access list
How do you get around this ? Surely PIX would have not sold have as much if you were limited to 1 remote user at a time in a site to site config ?
Thanks in advance
ASKER
I was trying to figure out a way to add access lists to the no nat list (NAT 0) but you can't apparently and you have to define all your addresses in one ACL that you then use agains't your NAT 0 rule. I like the ASA's much better , they are much more intuitive.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
2nd 192.168.2.0 access-list 101
3rd 192.168.3.0 access-list 101
Does not allow for matching the ipsec tunnel to a specific access list
Was the problem with this , I eventually figured out t use 2 access lists for same IPs one for the NAT rules and the other for the tunnel:
IP 1 = access-list 1
IP2 = access-list 2
IP1 =access-list 3
IP2 = access-list 3
NAT 0 access-list 3
IPSEC MAPA match access-list 1
IPSEC MAP B match access-list 2
A little convoluted but it works
3rd 192.168.3.0 access-list 101
Does not allow for matching the ipsec tunnel to a specific access list
Was the problem with this , I eventually figured out t use 2 access lists for same IPs one for the NAT rules and the other for the tunnel:
IP 1 = access-list 1
IP2 = access-list 2
IP1 =access-list 3
IP2 = access-list 3
NAT 0 access-list 3
IPSEC MAPA match access-list 1
IPSEC MAP B match access-list 2
A little convoluted but it works
ASKER
See explaination in next comment
Yes your correct. You should always use different ACLs for NAT rules and IPSec tunnels. Some old Cisco examples show using the same ACL, and it will work for very basic configs, but once you start having multiple tunnels, it does not work. Thus I always use seperate ACLs for NAT0 and for the IPsec tunnel.
Right now are you sure that you are using the correct nat rules?
Do you Know what is the Nat order of operation that the PIX uses?
Do you know what is nat 0 all about?
Can you explain better what are you trying to accomplish?