hi all,

we already have vpn tunnel on PIX 506 with the second party and it's working fine and also we do the natting, recently we have engaged with them in another project for which we have to define in our PIX that ip addresses from 4 Internal computers inside our LAN should be able to connect to there Inside LAN Servers but these IP addresses should not preform or go through the nat process as our internal computers/client hosts will use additional IPSec encryption tunneling software third party tool to connect to there inside other lan servers.

as what i understood from the firewall configurtion , also attached below):

1. we have vpn tunnel connected and working

2. we have one static defined with our internal host

3. we also have global defined

4.we also have access-list for VPN which defines the whole range to be as interesting traffic.

5. we have acl_grp which is not even applied to any interface and i dont understand why it's there.

6. we are also doing natting.

Configuration:

attached file

what i am suggesting to change it as :

//this will simplify the configuration and only perform nat for this ip which it should

access-list Project permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Project_NAT permit ip host 200.200.200.201 host 192.168.x.x

global (outside) 10 192.168.15.201

nat (inside) 10 access-list Project_NAT

static (inside,outside) tcp 192.168.x.x 200.200.200.201 netmask 255.255.255.255

//next to define that it does not nat for the other ip address

access-list nonat permit ip host 200.200.100.1 host 1.2.3.1

nat (inside) 0 access-list nonat

I hope i am right, if anyone can help me out here it would be great. whatever is configured is inherited from the last administrator who left unseen