cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
3
Replies

crypto map access list contains public addresses?

hoffenheim
Level 1
Level 1

I have a bit unusual VPN connection, where its crypto map's access-list contains public addresses:

crypto map CRYPTO 20 ipsec-isakmp

set peer 194.48.130.98

set transform-set NAMEMOB

...

match address 102

access-list 102 permit ip host 62.100.68.171 194.48.129.192 0.0.0.63

...

That is required by that company.

62.100.68.171 is my server. I have to relocate it behind the router, so I have to nat it.

I am going to include the following statement in my router's conf file:

ip nat source static 10.100.23.45 62.100.68.171

What I do not know is how to limit acccess to this server? Which statement I have to inlude in my input acl on my outside interface?

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Pera

Not entirely sure what you are asking here. The order of operation outside to inside is to check the input acl before NAT (see this doc - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml). So you would use the public IP address of the server to limit access.

Alternatively you could use an outbound acl on your inside interface and use the private IP address of the server.

Jon

hoffenheim
Level 1
Level 1

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

hoffenheim
Level 1
Level 1

I have read that cisco web page:

OK,

I have to include in my inbound outside interface acl these two instructions:

permit ip 194.48.130.98 62.100.68.171

deny ip any 62.100.68.171?

I mean I have to include the address which I use set peer in my crypto map?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: