NAT with access-list

Similar Questions

• Please help: NAT (inside) 0 0 0 and NAT (inside) - access list 0

  I have a problem with my PIX firewall.

  I don't want any NAT to the origin of traffic inside the interface.

  When I give

  NAT (inside) - 0 80 access list

  access ip-list 80 allow a whole

  It works very well

  But when I tried

  NAT (inside) 0 0 0

  ITZ not working is not for my IPsec clients

  According to my knowledge PIX requires input NAT to allow traffic from security interface higher to lower security interface. Can I use NAT 0 by which I can get around the NAT.

  Help, please?

  Hello

  identity nat works with access-list... IE nat 0 statement with an ACL... or you can specify the network... don't know if you can put 0 0... I have not seen that someone put this...

  refer to the documentation of nat for this command:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/Mr.htm#wp1161298

  to the first config... That's right... who has a list of acess 80!

  REDA

• Public static NAT vs. Access-List

  Hello

  I have a question what is the best practice static NAT and access list. Example:

  Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.

  IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80

  IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443

  Or

  IP nat inside source static 192.168.1.1 10.10.10.10

  Access-list 101 permit tcp any host 10.10.10.10 eq 80

  Access-list 101 permit tcp any host 10.10.10.10 eq 443

  interface ethernet0
  IP access-group 101 in

  Thank you

  The operational reasons - it will break things.

• access-list with PAT

  Hi guys,.

  I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

  example:

  access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

  permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

  If I won't 10.0.0.1 PATed.

  Hello

  It's perfectly legal and quite a common practice.

  Hope that help - rate pls post if it does.

  Paresh

• Lock the AnyConnect VPN with broader access list

  I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.

  Configuration:

  attributes Anyconnect-group policy

  VPN-tunnel-Protocol svc webvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list WebAccessVPN

  WebVPN

  list of URLS no

  SVC request to enable default webvpn

  WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace

  External FTP FTP access WebAccessVPN-list comment

  WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2

  WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace

  WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host

  WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1

  You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.

• New to pix, need help with "debug access list of all the" command

  I have a pix 515 v6.3. I am tring to use then "debug access list of all the" command to see what traffic is stopped by my access list. However, I don't get any output. I turn execution of the command, but nothing happens. Other debug commands give the console. Perhaps, I do not understand what "debug to access list of all the" is used for. Any help that can be provided would be greatly appreciated.

  Tim

  Also try following the commands of logging

  LOGG on

  LOGG buff 7

  term Lun

  M.

• allow icmpv6 in ipv4-access list in the tunnel

  Hello

  I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

  My tunnel works and is as follows:

  interface Tunnel0

  no ip address

  IPv6 address

  enable IPv6

  source of tunnel

  ipv6ip tunnel mode

  tunnel destination

  So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

  Access list that I apply is the following:

  allow tcp any a Workbench

  allowed UDP any eq field all

  allowed any EQ 67 udp no matter what eq 68

  allowed UDP any eq 123 everything

  allowed UDP any eq 3740 everything

  allowed UDP any eq 41 everything

  allowed UDP any eq 5072 everything

  allow icmp a whole

  deny ip any any newspaper

  Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

  TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
  UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
  Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
  UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
  ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

  I missed something?

  sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

  Hope someone can help me.

  Hello

  In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

  If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

  Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

  But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

  -Jouni

• FWSM firewall context Access-List entry Limitation

  We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.

  Hello

  This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

  If you run the command (syntax may be different in 3.x code):

  See the np 3 acl County property

  You get a result that looks like this:

  -CLS rule current account-

  CLS filter rule Count: 0

  CLS rule Fixup count: 11

  CLS is Ctl rule Count: 0

  CLS AAA rule count: 2187

  CLS is given rule Count: 0

  CLS Console rule count: 7

  Political CLS NAT rule Count: 0

  County of CLS ACL rule: 3491

  Add CLS uncommitted ACL: 0

  CLS ACL Del uncommitted: 0

  -CLS rule MAX - account

  CLS filter MAX: 3584

  CLS Fixup MAX: 32

  CLS is Ctl rule MAX: 716

  CLS is given rule MAX: 716

  AAA CLS MAX rule: 5017

  CLS Console rule MAX: 2150

  Political CLS NAT rule MAX: 3584

  CLS ACL rule MAX: 56627

  The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

  I'll try to find the syntax 7.x and post here later.

  -Jason

  Rate if this can help.

• Static NAT with the road map for excluding the VPN

  We have problems of access to certain IPs NATted static via a VPN.  After some research, we have learned that you have to exclude traffic destined for the VPN to the static NAT using a road map. So we did this:

  10.1.1.x is the VPN IP pool.

  access-list 130 refuse ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 allow ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map
  corresponds to the IP 130

  IP nat inside source static 192.168.1.5 1.1.1.1 sheep map route

  Above worked to fix the VPN but the IP 192.168.1.5 is no longer publicly available via 1.1.1.1.  What seems to happen, is that the static NAT is not really work and this IP address is NATted with the IP of PAT.

  Any ideas on how to get this to work?

  Thank you
  Diego

  Hello

  The following example details exactly your case:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

  Try to replace the 192.168.1.0 subnet by the host address.

  It should work

  HTH

  Laurent.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• Effect of the access lists on free access of high to low by default

  I'll implement access rules list on PIX525 (V6.3) with several DMZ, but want to minimize the rules.

  Scenario - 3 interfaces (inside (secuity100, average security50 outside Security0)

  To allow hosts on the way to reach the inside I create an access list applied to a central interface. However, will be an implicit (or explicit) deny at the end of the access list prevents the intermediate hosts with default value to open access to the lower security outside the interface?

  Thank you

  Mick

  Level of security and access lists:

  To grant access of lower to higher level, you need to an access list and a static.

  Equal to equal level cannot talk to each other.

  Higher level of security can talk to lower levels, if there is no access on this interface list and the NAT is configured correctly.

  ACL will add at the end a "deny ip any any" after a statement of license. So getting back to your question: If you allow a DMZ host to connect internal host on a specific port that all other connections are blocked. You must specify all the tarffic in this access list otherwise they will be blocked.

  The only exception is the traffic may be from other interface access lists to the demilitarized zone, answers etc. For example, you are allowing port 80 to a dmz host outside this traffic will not be verified again by the dmz access list.

  sincerely

  Patrick

• problem of access lists

  Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

  I have a pix with interface 3 inside, outside and dmz.

  IP address outside x.x.x.2 255.255.255.248

  IP address inside 200.115.10.10 255.255.255.0

  192.168.6.28 dmz IP address 255.255.255.0

  I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

  Here is the ACL, but I change the IP addresses.

  access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0

  access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

  access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

  access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

  access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

  access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

  access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

  pager lines 24

  opening of session

  interface ethernet0 car

  Auto interface ethernet1

  Auto interface ethernet2

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  IP address outside x.x.x.2 255.255.255.248

  IP address inside 200.115.10.10 255.255.255.0

  192.168.6.28 dmz IP address 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  172.16.1.1 - 172.16.1.254 test IP local pool

  no failover

  failover timeout 0:00:00

  failover poll 15

  failover outside 0.0.0.0 ip address

  IP Failover inside 0.0.0.0

  failover dmz 0.0.0.0 ip address

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  Global (dmz) 1 192.168.6.10

  NAT (inside) - 0 108 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

  (inside) alias x.x.x.5 192.168.6.30 255.255.255.255

  static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0

  static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0

  static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0

  conduct permitted tcp x.x.x.6 eq lotusnotes host everything

  conduct permitted tcp 2x.x.x.4 eq www host everything

  conduct permitted tcp x.x.x.4 eq lotusnotes host everything

  conduct permitted tcp x.x.x.5 eq www host everything

  driving allowed host tcp x.x.x.5 eq field all

  allow icmp a conduit

  driving allowed host tcp https eq x.x.x.5 all

  conduct permitted tcp 2x.x.x.5 eq 21010 host everything

  the public IP address I need to access it from the inside is x.x.x.5

  Hello

  The ACL you provide will always be the same when shorten you it to this:

  access-list 110 deny tcp host 200.115.10.0 host x.x.x.5

  Access-group 110 in the interface inside

  (it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)

  Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

  (1) if it is an existing stream, leave the package through

  (2) if it is not an existing stream, see ACL

  (3) if the ACL refuses, then drop the package, if ACL allows, leave package through

  (4) if the ACL does not at all, leave the package through (since it is the high level of low security)

  But I guess that this is not what you want to achieve.

  I think you need something like this:

  access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www

  access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www

  access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www

  access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0

  (assuming that you have a 24 - bit subnet on your dmz)

  access ip-list 110 permit a whole

  Access-group 110 in the interface inside

  This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.

  I hope this helps.

  Kind regards

  Leo

• PIX 525 access-list

  I know it must be simple, however, I have some difficulty doing that work. I use version 5.3

  I'm trying to block access to the internet at 172.16.39.X. whatever it is on this network should NOT be able to access the internet.

  I use the list of access and access - group commands but I must have some syntax errors or something as there doesn't seem to be blocking access. Could someone provide a concrete syntax for this address with 255.255.255.0 subnet so I can see if perhaps I simply make a mistake in the entry. I am new to PIX so I wouldn't be really surprised.

  Thank you

  Dave

  You can do this in several ways:

  1. you can exclude this your NAT range. This will not allow this range out to the internet.

  2. on your inside interface, apply this rule:

  insideACL list access deny ip 172.16.39.0 255.255.255.0 any

  insideACL ip access list allow a whole

  I hope this helps.

• Question of access list for Cisco 1710 performing the 3DES VPN tunnel

  I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

  For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

  My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

  Any input or assistance would be greatly appreciated.

  Map Test 11 ipsec-isakmp crypto

  ..

  match address 120

  Interface Ethernet0

  ..

  card crypto Test

  IP nat inside source overload map route sheep interface Ethernet0

  access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 allow ip 192.168.100.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 130

  He would go through the interface e0 to the Internet in clear text without going above the tunnel

  Jean Marc

• Routing VPN access list

  Hello

  I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.

  The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.

  I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Can I change the subnet mask in the first line and put the second line first?

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255

  Or should I let the deny at the end statement, and add a line for each of the other remote sites:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  ... (others)

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Thank you.

  John

  John

  Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?

  In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.

  Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.

  According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:

  IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255

  ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255

  This would allow 1 to 47 but not others.

  HTH

  Rick