I am doing a site to site vpn using two 1720's. I will be configuring NAT (static and overload) on both routers. The question is 1. When defining the traffic that gets encrypted by ipsec should i specify the private ip range or should i specify the public ip range?
2. I will be doing a static one-to-one nat for the mail, dns, ftp, http servers on the network. Do i still have to define in the access-list a rule to allow mail traffice through? if an access list is still required should it be e.g "access-list 101 permit tcp any 192.168.1.5 eq 25" which gets applied to the Serial interface or is it "access-lists 101 permit tcp any public ip eq 25" (the term public ip refers to any public ip)
Any help would be appreciated hope the above is clear.
I would specify the public address space, this is the out side of your network, and that particular interface represents your outside connectivity.
Much like BSD and ipfilter, you should define access-list for your interfaces considering both in and out traffic. For greater granulatiry, you should designate the servers entire address with wildcard masks. This way you filter the right tcp traffic to just the server that it is intended for.
Concerning your first question, you can specify public IP addresses or private IP addresses. It depends on your network design. You have the option to specify internal or public IP addresses. It is up to you.
The most important thing to say is : both sides must be configured with public IP addresses. After these public interfaces, you can route to invalid addresses.
About your second question, remember that you must define everything that will pass. Everything you do not include in the access-list will be prevented to go through the tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...