Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

crypto map access list contains public addresses?

I have a bit unusual VPN connection, where its crypto map's access-list contains public addresses:

crypto map CRYPTO 20 ipsec-isakmp

set peer 194.48.130.98

set transform-set NAMEMOB

...

match address 102

access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63

...

That is required by that company.

62.100.68.171 is my server. I have to relocate it behind the router, so I have to nat it.

I am going to include the following statement in my router's conf file:

ip nat source static 10.100.23.45 62.100.68.171

What I do not know is how to limit acccess to this server? Which statement I have to inlude in my input acl on my outside interface?

3 REPLIES
Hall of Fame Super Blue

Re: crypto map access list contains public addresses?

Pera

Not entirely sure what you are asking here. The order of operation outside to inside is to check the input acl before NAT (see this doc - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml). So you would use the public IP address of the server to limit access.

Alternatively you could use an outbound acl on your inside interface and use the private IP address of the server.

Jon

Community Member

Re: crypto map access list contains public addresses?

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

Community Member

Re: crypto map access list contains public addresses?

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

256
Views
0
Helpful
3
Replies
CreatePlease to create content