03-20-2009 02:04 AM - edited 03-06-2019 04:43 AM
I have a bit unusual VPN connection, where its crypto map's access-list contains public addresses:
crypto map CRYPTO 20 ipsec-isakmp
set peer 194.48.130.98
set transform-set NAMEMOB
...
match address 102
access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63
...
That is required by that company.
62.100.68.171 is my server. I have to relocate it behind the router, so I have to nat it.
I am going to include the following statement in my router's conf file:
ip nat source static 10.100.23.45 62.100.68.171
What I do not know is how to limit acccess to this server? Which statement I have to inlude in my input acl on my outside interface?
03-20-2009 02:22 AM
Pera
Not entirely sure what you are asking here. The order of operation outside to inside is to check the input acl before NAT (see this doc - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml). So you would use the public IP address of the server to limit access.
Alternatively you could use an outbound acl on your inside interface and use the private IP address of the server.
Jon
03-20-2009 04:32 AM
I have read that cisco web page:
OK,
I have to include in my inbound outside interface acl these two instructions:
permit ip 194.48.130.98 62.100.68.171
deny ip any 62.100.68.171?
I mean I have to include the address which I use set peer in my crypto map?
03-20-2009 04:33 AM
I have read that cisco web page:
OK,
I have to include in my inbound outside interface acl these two instructions:
permit ip 194.48.130.98 62.100.68.171
deny ip any 62.100.68.171?
I mean I have to include the address which I use set peer in my crypto map?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: