Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

relation between commands

hi all,

what is the relation between the following commands

----------------------------------------

nat (inside) 0 access-list vpn-it

----------------------------------------

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address vpn-it

crypto map transam 1 set peer 1.2.3.4

crypto map transam 1 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 1.x.x.4 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

5 REPLIES
Gold

Re: relation between commands

A "NAT 0" means no NAT-ing is happening. This entry is used for the IPsec connection defined in the configuration. The nat command with access list lets you exempt traffic that is matched by the access-list command statements from the NAT services.

Hope this helps,

Jay

Bronze

Re: relation between commands

hi,

yup it's clear and now i know why my vpn used to stop and disconnect when i remove this line.

what i want to do is that i want to remove this line as i cannot use PDM to configure my PIX. so is there a work around and do i have to live with it. basically we are establishing a vpn through pix to vpn concentrator on the other side.

Gold

Re: relation between commands

There is a solution to your problem, let me explain why PDM is not working with your current setup:

PDM will do this if you use one access-list in two separate locations (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255). I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

I hope this helps and please rate post if it does.

Jay

Bronze

Re: relation between commands

thanks jay,

but i hava a question, my crypto map is like this

crypto map transam 1 match address vpn-it

and not

crypto map 10 mymap match address nonat.

secondly, i already have two nat configured

nat (inside) 0 access-list vpn-it

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

Bronze

Re: relation between commands

hi jay,

i got it what you meant and the PDM is okay too. but still a little more explaination on what was the relation between what was there and what we did would be apperciative.

211
Views
0
Helpful
5
Replies
CreatePlease to create content