I've tried this with only one access list. .... see the last couple of sentences in my first post. But I did it again just to make sure. Please see attached config.

And I still have same problem. PIX-to-PIX VPN from other office works fine. But remote VPN from Cisco Client has problems. The VPN tunnel does connect. But the remote PC is not getting connected to the local network. I think there is some kind of routing problem here. But the remote client connected just fine to my server when it had its own access list and the nat 0 set to it, which also, of course, killed the PIX-to-PIX vpn.

Not a nat 0 problem. Add this to your pix...

isakmp nat-traversal

I agree Adam. Change your pool back and add nat-traversal and you should be good to go.

OK ... this makes total sense to me. What doesn't make sense is a no_nat acl with two destination addresses. I can't decode anything like this out of my 6.3 cmd ref. Can you show me what such an access-list command statement would look like??

access-list nonat permit ip Main 192.168.2.0 255.255.255.0

access-list nonat permit ip Main 192.168.4.0 255.255.255.0

nat (inside) 0 access-list nonat

It should look something like:

access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_no_nat permit ip 192.688.1.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (inside) 0 access-list acl_no_nat

the no NAT access-list can have many destination subnets or IPs in it. All it does is tell the PIX not to NAT traffic going from 192.168.1.0/24 to West or to VPN clients. For example, if you add another site to site VPN you will need to add another line in the acl_no_nat access-list:

access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0

Thanks Adam ... it is simple. It just wasn't clear to me that multiple statements could be assigned to the same acl. And its right there in the manual ... second sentence in the Access List Usage. Need to knock down some glass walls in my head and read a little closer.

Adam .... I have another access-list question. I want to do something simple: open a port for the remote VPN users. But, to me the access-list doc for this operation in the cmd ref is really cryptic. How would I open port 12345? Do I have to define an object group to do this??

I would recommend changing your vpnwest ip pool to the RmtVPN subnet (192.168.4.0) and then adding an access-list for just no-nat. For example:

remove: access-list vpn_west permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0

add: access-list no-nat permit ip ESIMain 255.255.255.0 ESIWest 255.255.255.0

add: access-list no-nat permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0

remove: nat (inside) 0 access-list vpn_west

add: nat (inside) 0 access-list no-nat

remove: ip local pool vpnwest 192.168.2.100-192.168.2.110

add: ip local pool rmtvpn 192.168.4.100-192.168.4.110

remove: vpngroup vpnwest address-pool vpnwest

add: vpngroup vpnwest address-pool rmtvpn

remove: vpngroup makvpn address-pool vpnwest

add: vpngroup makvpn address-pool rmtvpn

A lot of this is cosmetics but it will help when troubleshooting. You shouldn't need an access-list on your outside interface to allow remote vpn access to it. Once the client is connected I believe they will have full access to your 192.168.1.0/24 network in this configuration. Are you wanting to restrict this access?

As long as you have "sysopt connection permit-ipsec" there is no need to define an access-list to allow traffic from the vpn client as all traffic will be allowed.

Before I discovered the use of multiple access-list commands for one access access group, I had tried the setup you described. It didn't work. The VPN from the west office is different: its a PIX to PIX VPN tunnel that I found docs for on Cisco's site. I believe it works differently from the connections from the VPN Client software that's out on remote laptops. The west office is on 192.168.2.0 and it appears if I remove that network from the config, the VPN from there will not connect. I've attached both the doc I got this from and the config from the west office router. Using the configs in this doc was the only way I could get the PIX-to-PIX VPN to work .... all the other VPN docs were wrong.

It looks as though, based off the provided config, that you are NAT'ing traffic that is supposed to go over the VPN tunnel. You are going to want to have a no-nat access-list on the WestPIX also:

access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

Also, you will want to enable sysopt connection permit-ipsec for the tunnel to come up with your current configuration.

sysopt connection permit-ipsec

You will also need to enable your crypto and isakmp commands again. Issue the same commands that are in your WestPIX config with the no crypto... and no isakmp... without the "no" in front. The following command will need to change also:

crypto map outside_map 20 match address inside_outbound_nat0_acl

to:

crypto map outside_map 20 match address no-nat

This is due to the access-list inside_outbound_nat0_acl not existing.

I hope this helps.