I am over the same question. The reference is the following article
What does it mean that access list for policy NAT can note have DENY statements?
I thought to create two complementary ACL for a pool of addresses and ports and for the rest of the world using DENY statements but the specifications don't allow me to do that.
Perhaps do the nat ids become important, I mean, they represent the order which ACL are processed with?
Briefly, I have built a VPN to a remote site, say VPN_remote_IP; I have 2 interface on the Internet with 2 IPs,
4_Internet IP and VPN__IP. I have published the mail server on the outside interface (packets coming from and going to it pass through outside interface)Following the article suggestions I wish create
access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP
255.255.255.255 eq 500 access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP 255.255.255.255 eq 4500 access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP 255.255.255.255 eq 5000access-list 2WEB permit ip 192.168.4.0 255.255.255.0 0.0.0.0 0.0.0.0
and applying them in the following order
nat (inside) 1 access-list 2VPN-Endpoints nat (inside) 2 access-list 2WEB
global (outside) 1 255.255.255.255 global (outside) 2 255.255.255.255
The question is:
as told above, is it correct or have nat Ids numbers priority meaning so putting the 2VPNendpoint at the top of the translation process let the IPsec packets to be translated by the 1st IP and all of the rest of the packets by the 2nd IP? I needn't a deny statement at the bottom of the 1st access list, do I?
The article doesn't talk about a PIX with 2 interface on the Internet side. What is your opinion? Any comments are welcomed,
Alex.