Solved: vpn queries

donnie · ‎10-03-2010

Hi all,

I have a query on the example in the link below.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

I would like to know on pix 1 why isn't there "access-list nonat extended permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0" since traffic from 10.30.30.x/24 subnet need to be NAT exempted when accessing 10.20.20.x/24 resources.

Using the above example again, if my pix1(hub) is a asa5510 instead and i enable it with remote access vpn, can my vpn clients be configured to allow access to networks behind pix2 and pix3 which have static and dynamic L2L vpn with my asa5510? Pls advise. Thks in advance.

Jennifer Halim · ‎10-03-2010

On PIX1: ACL 100 should include the following (which is the static lan-to-lan towards PIX3):

access-list 100 permit ip 10.30.30.0 255.255.255.0

On PIX3: crypto ACL towards PIX1 should include the following:

access-list permit ip 10.30.30.0 255.255.255.0

Also on PIX3, you would need to remember adding NAT exemption:

access-list permit ip 10.30.30.0 255.255.255.0

For the dynamic to static LAN-to-LAN (between PIX1 and PIX2), you only need to configure PIX2:

On PIX2, ACL 100 should include the following:

access-list 100 permit ip 10.20.20.0 255.255.255.0

On PIX2, NAT exemption:

access-list permit ip 10.20.20.0 255.255.255.0

Hope that answers your question.

View solution in original post

Jennifer Halim · ‎10-03-2010

The reason why there is no NAT exemption on PIX1 for traffic between PIX2 LAN and PIX3 LAN is because traffic is hairpin on the outside interface of PIX1, and there is no "NAT" statement applied to the outside interface. Since there is no existing NAT statement applied to the outside interface, there is no requirement to configure explicit NAT exemption for traffic between PIX2 and PIX3 LAN.

Yes, your VPN Client can also access PIX2 and PIX3 LAN, however, you would need to include the VPN Client ip pool subnet in the crypto ACL for LAN-to-LAN between PIX1 and PIX2, and PIX3, and vice versa. Also if you have split tunnel for your vpn client, you would need to include PIX2 and PIX3 LAN.

Hope that helps.

donnie · ‎10-03-2010

Hi Jennifer,

Thk you very much!

Hence with reference to the example in my post, you suggested

"you would need to include the VPN Client ip pool subnet in the crypto ACL for LAN-to-LAN between PIX1 and PIX2, and PIX3"

This means i need to add the vpn client ip pool subnet to accesslist 100 on pix1 which is used in the crypto map for LAN to LAN between PIX1 and PIX2/PIX3 right?

Thk you for the reminder on the split tunneling portion too!!

Jennifer Halim · ‎10-03-2010

On PIX1: ACL 100 should include the following (which is the static lan-to-lan towards PIX3):

access-list 100 permit ip 10.30.30.0 255.255.255.0

On PIX3: crypto ACL towards PIX1 should include the following:

access-list permit ip 10.30.30.0 255.255.255.0

Also on PIX3, you would need to remember adding NAT exemption:

access-list permit ip 10.30.30.0 255.255.255.0

For the dynamic to static LAN-to-LAN (between PIX1 and PIX2), you only need to configure PIX2:

On PIX2, ACL 100 should include the following:

access-list 100 permit ip 10.20.20.0 255.255.255.0

On PIX2, NAT exemption:

access-list permit ip 10.20.20.0 255.255.255.0

Hope that answers your question.

Jennifer Halim · ‎10-03-2010

Hi Don,

Please kindly mark all posts answered if you have no more question. Thanks.

donnie · ‎10-03-2010

Hi Jennifer,

I have marked the post. Thk you!!