Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Possible Crypto Overlap and NAT ACL open to Subnet vs. Host

Hi,

For a PIX 515E 6.3(5)

I have the following ACLS:

Crypto ACL List

access-list ipsectraffic permit ip host 192.168.7.221 object-group pdvcorp-backup3-to-db1-datacenter
access-list ipsectraffic permit ip host 192.168.7.222 object-group pdvcorp-backup3-to-db1-datacenter
access-list ipsectraffic permit ip object-group corphosts-datacenter 192.168.10.0 255.255.255.0
access-list ipsectraffic permit ip object-group productionhosts-datacenter object-group access-productionhosts-datacenter

In the above Crypto ACL list, hosts 192.168.7.221 and 192.168.7.222 are both also part of the object group 'productionhosts-datacenter' referenced in the same ACL list. What are the implications of having the same hosts referenced in the Crypto ACL, if any?

No NAT Access List

access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

In relation to the Crypto ACLs above, is there an issue (security wise or other) with opening the complete Subnet with a NoNAT ACL to save on the having to nail down each host.

Thanks,

Dan

  • VPN
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Possible Crypto Overlap and NAT ACL open to Subnet vs. Host

It doesn't matter, you can use the same source with multiple destinations.  No issues either with the nonat.

2 REPLIES
New Member

Re: Possible Crypto Overlap and NAT ACL open to Subnet vs. Host

It doesn't matter, you can use the same source with multiple destinations.  No issues either with the nonat.

New Member

Re: Possible Crypto Overlap and NAT ACL open to Subnet vs. Host

As droeun141 said, you should be fine

514
Views
0
Helpful
2
Replies
This widget could not be displayed.