×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
singhsaju Fri, 10/03/2008 - 08:59
User Badges:
  • Silver, 250 points or more

Hello,


Do not use NAT 0 but allow the traffic to be PAT'ed and create Crypto ACL with Pate'd address as source .


For Example :If 172.16.0.0/16 is remote private network and X.X.X.X is the PIX 's outside interface IP. The remote side will have Crypto ACL as mirror image of the access -list 101.


interface Ethernet0

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.0


interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


access-list 101 extended permit ip host X.X.X.X 172.16.0.0 255.255.0.0


crypto ipsec transform-set my-set esp-aes-256 esp-sha-hmac

crypto map mymap 20 match address 101

crypto map mymap 20 set peer 172.30.1.1

crypto map mymap 20 set transform-set my-set

crypto map mymap interface outside


isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400



tunnel-group 172.30.1.1 type ipsec-l2l

tunnel-group 172.30.1.1 ipsec-attributes

pre-shared-key *



HTH

Saju

Pls rate helpful posts


Actions

This Discussion