Possible Crypto Overlap and NAT ACL open to Subnet vs. Host

Answered Question
Apr 29th, 2010

Hi,

For a PIX 515E 6.3(5)

I have the following ACLS:

Crypto ACL List

access-list ipsectraffic permit ip host 192.168.7.221 object-group pdvcorp-backup3-to-db1-datacenter
access-list ipsectraffic permit ip host 192.168.7.222 object-group pdvcorp-backup3-to-db1-datacenter
access-list ipsectraffic permit ip object-group corphosts-datacenter 192.168.10.0 255.255.255.0
access-list ipsectraffic permit ip object-group productionhosts-datacenter object-group access-productionhosts-datacenter

In the above Crypto ACL list, hosts 192.168.7.221 and 192.168.7.222 are both also part of the object group 'productionhosts-datacenter' referenced in the same ACL list. What are the implications of having the same hosts referenced in the Crypto ACL, if any?

No NAT Access List

access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

In relation to the Crypto ACLs above, is there an issue (security wise or other) with opening the complete Subnet with a NoNAT ACL to save on the having to nail down each host.

Thanks,

Dan

I have this problem too.
0 votes
Correct Answer by droeun141 about 6 years 7 months ago

It doesn't matter, you can use the same source with multiple destinations.  No issues either with the nonat.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
droeun141 Thu, 04/29/2010 - 20:48

It doesn't matter, you can use the same source with multiple destinations.  No issues either with the nonat.

Actions

This Discussion

Related Content