Hi all,

All what I'm describing is made with a Cisco PIX Security Appliance Software Version 8.0(4)28.

I'm trying to give access to an internally NATed system for VPN RA users.

Basically, they open an IPSec session and are hosted in a first subnet (172.16.1.0/24).

Then I give them an access to a second subnet (172.16.2.0/24).

Finally, I have some hidden back office systems hosted in a third subnet (172.16.3.0/24).

Each subnet is indeed behind its owned PIX interface.

I don't want to give any access on the third subnet to VPN users but  there is a system in it they may exploit. So I NAT it from the third to  the second subnet.

The NAT is OK when trying to access from a system hosted in the second subnet itself.

As well, I can reach any system directly hosted in the second subnet from the first subnet (IPSec tunnelled).

The problem is, I can not reach the NATed interface in the second subnet from my first subnet (IPSec tunnelled).

What am I missing ?

Thanks a lot.

access-list LAB_splitTunnelAcl standard permit 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list Projects_in extended permit icmp any host 172.16.2.1
access-list Projects_in extended permit tcp any host 172.16.2.1
access-list Projects_in extended permit udp any host 172.16.2.1
access-list Projects_in extended deny ip any 172.16.0.0 255.255.0.0
access-list Projects_in extended deny icmp any 172.16.0.0 255.255.0.0
access-list Projects_in extended permit ip any any
access-list Projects_in extended permit icmp any any

nat (Projects) 0 access-list inside_nat0_outbound
nat (Projects) 1 0.0.0.0 0.0.0.0
static (inside,Projects) 172.16.2.1 172.16.3.1 netmask 255.255.255.255
access-group Projects_in in interface Projects

group-policy VpnGroupPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LAB_splitTunnelAcl