IPSEC NAT0 and separating internet traffic from tunnel traffic.
I have a situation with a Corporate Office PIX connecting to a Branch Office Watchguard via an IPSec tunnel, with internal hosts on the corporate LAN also needing access to the internet as well as an Internal ISA Server publishing ftp,smtp,www,ssl,rdp services to the internet. I've included the config for reference but I'm curious as the whether the following would work as config'd. I haven't tried it live since the IPSec tunnel is not available yet, however, I just wanted to make sure I'm on the right track.
I'm also curious as to why two separate access-lists are needed for internal hosts NAT 0 and the Crypto Map. Wouldn't one suffice, other than for future expandibility?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...