1. Home
  2. Cisco Systems
  3. PIX 515 nat 0 and vpn site-2-site

PIX 515 nat 0 and vpn site-2-site

Hi NG,

i got 2 sites witch i would like to connect via vpn site-2-site. Now with one of the sites i got an nat 0 accesslist statement. And for the second i dlike to nat 0 again. But since it overrites that statement i just can set one single nat 0 statement ...i do not want to nat to these other sites!

nat (inside) 0 access-list ACL_SITE_1 ((nat (inside) 0 access-list ACL_SITE_2))

access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z ((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z

0.0.255.255))

how should i solve this? thank ya Colin

Reply to
colin
Loading thread data ...

In article , colin wrote: :i got 2 sites witch i would like to connect via vpn site-2-site. Now with :one of the sites i got an nat 0 accesslist statement. And for the second i :dlike to nat 0 again. :But since it overrites that statement i just can set one single nat 0 :statement ...i do not want to nat to these other sites!

:nat (inside) 0 access-list ACL_SITE_1 :((nat (inside) 0 access-list ACL_SITE_2))

:access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z :((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255))

:how should i solve this?

access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z access-list nonat_acl permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255 nat (inside) 0 access-list nonat_acl

With PIX 4/5/6, any time that you try to use a single ACL in two different contexts (e.g., nat 0 access-list and crypto map match address) then you are very likely configuring incorrectly or running into a Cisco bug. Only use any given ACL for one purpose.

Reply to
Walter Roberson

what about the decision witch vpn tunnel to use in a such a config? it does not make sense for me, since you define witch ips should be taking witch tunnel in this context or not...? if you define only one, where are the packets send to? to witch site?

thank ya

Reply to
colin

In article , colin wrote: :> access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z :> access-list nonat_acl permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255 :> nat (inside) 0 access-list nonat_acl

Did I really write X.Y.Z.Z 0.0.255.255 ?? Ah yes, I really did... I copied from the original posting. Very likely that second line should read

access-list nonat_acl permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 255.255.0.0

:what about the decision witch vpn tunnel to use in a such a config? it does :not make sense for me, since you define witch ips should be taking witch :tunnel in this context or not...? :if you define only one, where are the packets send to? to witch site?

nat (inside) 0 access-list nonat_acl does not directly influence the choice of VPN tunnel. All it does is say which flows will have NAT turned off.

Selection of VPN tunnel is by matching the *after*-NAT addresses against the crypto map match address list. The list with the lowest crypto policy number is looked at first; if there is no match there, the next lowest is looked at and so on... [though if there is any overlapping between them such that the policy order matters, you are very very likely going to have mysterious VPN problems!]

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.