In article , jspr wrote: :Does anybody know the benefit of using two acls when creating a site to :site vpn one for disabling nat and then one for the crypto map.
We can deduce from the commands you show us that you are talking about the PIX; it is better if you state the product and software version explicitly as different products and different versions work slightly differently.
: Or is :it just a matter of preference Example
:access-list remote_site permit ip 10.1.1.0 mask 255.255.255.0 192.168.1.0
255.255.255.0
:access-list nonat permit ip 10.1.1.0 mask 255.255.255.0 192.168.1.0
255.255.255.0
:nat (inside) 0 access-list nonat
PIX only supports a single nat 0 access-list . If you have multiple crypto-maps, you have to merge all the nat exemptions together into one list, but you want the crypto maps to be seperate.
You also cannot use the same ACL for nat 0 access-list or for crypto map match-address as you are using for an access-group : that's because anything used as an access-group has internal updates as needed to implement the Adaptive Security Algorithm.
Thus, even in cases where you only have one crypto map entry, it is a good idea to get into the habit of using distinct ACLs, so as to avoid accidental reuse in the future.
If i recall correctly, there are also some bugs in some releases if you use the same ACL for nat 0 access-list as for crypto map even with only a single crypto map. I am not certain of this; I believe I found the entry using the bug navigator, but it didn't matter to me as I use distinct ACLs and it was for a software version I didn't happen to be using.