I was working with a Cisco Engineer getting some issues with a PIX to PIX VPN worked out and they recommended that my Access lists for allowing NATed traffic from inside to outside to inside all have entries for each subnet in both directions and they make a different ACL for each interface/connection, even though they are all the same. Not sure if it makes sense. .
So for example I have the Following references to ACLs:
nat (outside) 0 access-list outside_nat0_outbound nat (outside) 0 access-list outside_nat0_inbound outside nat (inside) 0 access-list inside_nat
crypto map outside_map 20 match address outside_cryptomap_20
So that makes the 4 ACL: outside_nat0_outbound outside_nat0_inbound inside_nat outside_cryptomap_20
I have 11 different Subnets that are connected one way or another to the PIXs, so the Cisco Tech recommended that for each of the Four lists I have the following:
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
access-list extended permit ip
So that would make it 110 entries per ACL and 440 for the lot of them.
Since they are the same why should not use the same name? Does this seem right?
All Subnets are 10.X.0.0/16 Why not just put in a 10.0.0.0/8 to 10.0.0.0/8 and be done with it?
Thank you, Scott