Possible Crypto Overlap and NAT ACL open to Subnet vs. Host
For a PIX 515E 6.3(5)
I have the following ACLS:
Crypto ACL List
access-list ipsectraffic permit ip host 192.168.7.221 object-group pdvcorp-backup3-to-db1-datacenter access-list ipsectraffic permit ip host 192.168.7.222 object-group pdvcorp-backup3-to-db1-datacenter access-list ipsectraffic permit ip object-group corphosts-datacenter 192.168.10.0 255.255.255.0 access-list ipsectraffic permit ip object-group productionhosts-datacenter object-group access-productionhosts-datacenter
In the above Crypto ACL list, hosts 192.168.7.221 and 192.168.7.222 are both also part of the object group 'productionhosts-datacenter' referenced in the same ACL list. What are the implications of having the same hosts referenced in the Crypto ACL, if any?
No NAT Access List
access-list nonat permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
In relation to the Crypto ACLs above, is there an issue (security wise or other) with opening the complete Subnet with a NoNAT ACL to save on the having to nail down each host.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...