10-08-2008 06:05 AM
I have a policy NAT configured from our compnay to another company an it is working fine.
My device is 10.1.150.1
NATed to 10.9.0.3
Their device is 10.1.15.3
Everything works fine through the VPN tunnel when configured this way:
access-list NO_NAT line 2 extended deny ip host 10.1.150.1 host 10.1.15.3
static (inside,outside) 10.9.0.3 access-list yourcompanytranslation3
access-list yourcompanytranslation3 line 1 remark Next line is for yourcompany ATM Policy NAT
access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3
crypto map mycompany 30 match address yourcompany
crypto map mycompany 30 set peer 12.1.7.160
crypto map mycompany 30 set transform-set 3dessha
crypto map mycompany 30 set security-association lifetime seconds 3600
access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3
The remote end has some appications that my end will be using in the future to additional addresses. I would like to filter the traffic to make sure we are only allowing outbound traffic that is needed.
My question is
Do I filter the traffic on the traffic on the translation access-list:
access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT
access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3 eq 5202
access-list yourcompanytranslation3 line 3 permit ip host 10.1.150.1 host 10.1.10.223 range 3464 3467
Or do I filter it on the access-list applied to the crypto map:
access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3 eq 5202
access-list yourcompany line 2 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.10.223 range 3464 3467
Solved! Go to Solution.
10-09-2008 12:28 AM
First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.
Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.
Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).
Regards
Farrukh
10-09-2008 12:28 AM
First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.
Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.
Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).
Regards
Farrukh
10-09-2008 04:28 AM
Thanks for the reply,
I had copied an pasted the acl, then added the port and didnt notice the IP vs TCP.
The ASA wouldn't have let me put it in that way either.
Thanks for pointing that out.
I suspected I should be specific on the NAT ACL.
I appeciate you confirming, thanks.
10-16-2008 05:58 AM
I have a follow up question on this,
If the remote end needs to also access my host (two way)do I need to modify the trnslation access-list for two way traffic?
For example:
access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT
access-list yourcompanytranslation3 line 2 permit tcp host 10.1.150.1 host 10.1.10.223 range 3464 3467
access-list yourcompanytranslation3 line 3 permit tcp host 10.1.10.223 host 10.1.150.1 range 3464 3467
access-list yourcompanytranslation3 line 4 permit tcp host 10.1.150.1 host 10.1.15.3 eq 5202
access-list yourcompanytranslation3 line 5 permit tcp host 10.1.15.3 host 10.1.150.1 eq 5202
10-18-2008 03:38 AM
No Wilsos, the static command is bi directional. So is the nat 0 ACL (nat exemption).
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: