06-27-2010 06:15 PM
Hi All,
Please find my requirements below & the test results.
Existing Setup
Requirement
static (inside,outside) 10.1.1.1 access-list CLIENT_VPN_Policy_NAT
access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1
access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1
Test Results
Problem
Question
I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1
07-08-2010 06:42 AM
This is the default behavior of Policy NAT. For incoming traffic, it won't consider the source IP mentioned in the Policy NAT ACL.
As a workaround you need to apply filtering via access-lists. By default there is no ACL check for VPN traffic, you have to enable it via sysopt commands.
Alternateively you can put an outbound ACL on the inside interface, allowing access to 10.1.1.2 from the 192.168.1.1 client only. Don't forget to permit eveything else in the end of the ACL
Regards
Farrukh
07-08-2010 06:55 AM
Thanks Farrukh. Let me try this & shall get back to you some time during next week.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: