crypto map access list contains public addresses?

Unanswered Question
Mar 20th, 2009

I have a bit unusual VPN connection, where its crypto map's access-list contains public addresses:

crypto map CRYPTO 20 ipsec-isakmp

set peer 194.48.130.98

set transform-set NAMEMOB

...

match address 102

access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63

...

That is required by that company.

62.100.68.171 is my server. I have to relocate it behind the router, so I have to nat it.

I am going to include the following statement in my router's conf file:

ip nat source static 10.100.23.45 62.100.68.171

What I do not know is how to limit acccess to this server? Which statement I have to inlude in my input acl on my outside interface?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 03/20/2009 - 02:22

Pera

Not entirely sure what you are asking here. The order of operation outside to inside is to check the input acl before NAT (see this doc - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml). So you would use the public IP address of the server to limit access.

Alternatively you could use an outbound acl on your inside interface and use the private IP address of the server.

Jon

hoffenheim Fri, 03/20/2009 - 04:32

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

hoffenheim Fri, 03/20/2009 - 04:33

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

Actions

This Discussion