singhsaju Fri, 10/03/2008 - 08:59
User Badges:
  • Silver, 250 points or more


Do not use NAT 0 but allow the traffic to be PAT'ed and create Crypto ACL with Pate'd address as source .

For Example :If is remote private network and X.X.X.X is the PIX 's outside interface IP. The remote side will have Crypto ACL as mirror image of the access -list 101.

interface Ethernet0

nameif outside

security-level 0

ip address X.X.X.X

interface Ethernet1

nameif inside

security-level 100

ip address

nat (inside) 1

global (outside) 1 interface

access-list 101 extended permit ip host X.X.X.X

crypto ipsec transform-set my-set esp-aes-256 esp-sha-hmac

crypto map mymap 20 match address 101

crypto map mymap 20 set peer

crypto map mymap 20 set transform-set my-set

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *



Pls rate helpful posts


This Discussion