f



PIX 515 nat 0 and vpn site-2-site

Hi NG,

i got 2 sites witch i would like to connect via vpn site-2-site. Now with 
one of the sites i got an nat 0 accesslist statement. And for the second i 
dlike to nat 0 again.
But since it overrites that statement i just can set one single nat 0 
statement ...i do not want to nat to these other sites!

nat (inside) 0 access-list ACL_SITE_1
((nat (inside) 0 access-list ACL_SITE_2))

access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z
((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 
0.0.255.255))

how should i solve this?
thank ya Colin

--
pix 515E:
 nat [(<real_ifc>)] <nat-id>
{<real_ip> [<mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [outside] [<max_conn> [<emb_limit>]]



0
colin
10/2/2005 9:06:14 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

3 Replies
583 Views

Similar Articles

[PageSpeed] 55

In article <433fa307$0$8075$fb624d75@newsspool.solnet.ch>,
colin <colin.cant@solnet.ch> wrote:
:i got 2 sites witch i would like to connect via vpn site-2-site. Now with 
:one of the sites i got an nat 0 accesslist statement. And for the second i 
:dlike to nat 0 again.
:But since it overrites that statement i just can set one single nat 0 
:statement ...i do not want to nat to these other sites!

:nat (inside) 0 access-list ACL_SITE_1
:((nat (inside) 0 access-list ACL_SITE_2))

:access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z
:((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 0.0.255.255))

:how should i solve this?

access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z
access-list nonat_acl permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 0.0.255.255
nat (inside) 0 access-list nonat_acl


With PIX 4/5/6, any time that you try to use a single ACL in two different
contexts (e.g., nat 0 access-list and crypto map match address) then
you are very likely configuring incorrectly or running into a Cisco bug.
Only use any given ACL for one purpose.

-- 
  "It is important to remember that when it comes to law, computers
  never make copies, only human beings make copies.  Computers are given
  commands, not permission. Only people can be given permission."
                                               -- Brad Templeton
0
roberson
10/2/2005 4:16:17 PM
> access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z
> access-list nonat_acl permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 0.0.255.255
> nat (inside) 0 access-list nonat_acl

what about the decision witch vpn tunnel to use in a such a config? it does 
not make sense for me, since you define witch ips should be taking witch 
tunnel in this context or not...?
if you define only one, where are the packets send to? to witch site?

thank ya 


0
colin
10/12/2005 4:44:41 PM
In article <434d4498$0$8073$fb624d75@newsspool.solnet.ch>,
colin <colin.cant@solnet.ch> wrote:
:> access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z
:> access-list nonat_acl permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 0.0.255.255
:> nat (inside) 0 access-list nonat_acl

Did I really write X.Y.Z.Z 0.0.255.255 ??
Ah yes, I really did... I copied from the original posting. Very likely
that second line should read

access-list nonat_acl permit ip 10.x.x.0 255.255.0.0  X.Y.Z.Z 255.255.0.0


:what about the decision witch vpn tunnel to use in a such a config? it does 
:not make sense for me, since you define witch ips should be taking witch 
:tunnel in this context or not...?
:if you define only one, where are the packets send to? to witch site?

nat (inside) 0 access-list nonat_acl
does not directly influence the choice of VPN tunnel. All it does
is say which flows will have NAT turned off.

Selection of VPN tunnel is by matching the *after*-NAT addresses
against the crypto map match address list. The list with the lowest
crypto policy number is looked at first; if there is no match there,
the next lowest is looked at and so on... [though if there is any
overlapping between them such that the policy order matters, you are
very very likely going to have mysterious VPN problems!]
-- 
  If you like, you can repeat the search with the omitted results included.
0
roberson
10/12/2005 5:30:33 PM
Reply: