10-03-2010 12:59 AM
Hi all,
I have a query on the example in the link below.
I would like to know on pix 1 why isn't there "access-list nonat extended permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0" since traffic from 10.30.30.x/24 subnet need to be NAT exempted when accessing 10.20.20.x/24 resources.
Using the above example again, if my pix1(hub) is a asa5510 instead and i enable it with remote access vpn, can my vpn clients be configured to allow access to networks behind pix2 and pix3 which have static and dynamic L2L vpn with my asa5510? Pls advise. Thks in advance.
Solved! Go to Solution.
10-03-2010 01:37 AM
On PIX1: ACL 100 should include the following (which is the static lan-to-lan towards PIX3):
access-list 100 permit ip
On PIX3: crypto ACL towards PIX1 should include the following:
access-list
Also on PIX3, you would need to remember adding NAT exemption:
access-list
For the dynamic to static LAN-to-LAN (between PIX1 and PIX2), you only need to configure PIX2:
On PIX2, ACL 100 should include the following:
access-list 100 permit ip 10.20.20.0 255.255.255.0
On PIX2, NAT exemption:
access-list
Hope that answers your question.
10-03-2010 01:15 AM
The reason why there is no NAT exemption on PIX1 for traffic between PIX2 LAN and PIX3 LAN is because traffic is hairpin on the outside interface of PIX1, and there is no "NAT" statement applied to the outside interface. Since there is no existing NAT statement applied to the outside interface, there is no requirement to configure explicit NAT exemption for traffic between PIX2 and PIX3 LAN.
Yes, your VPN Client can also access PIX2 and PIX3 LAN, however, you would need to include the VPN Client ip pool subnet in the crypto ACL for LAN-to-LAN between PIX1 and PIX2, and PIX3, and vice versa. Also if you have split tunnel for your vpn client, you would need to include PIX2 and PIX3 LAN.
Hope that helps.
10-03-2010 01:24 AM
Hi Jennifer,
Thk you very much!
Hence with reference to the example in my post, you suggested
"you would need to include the VPN Client ip pool subnet in the crypto ACL for LAN-to-LAN between PIX1 and PIX2, and PIX3"
This means i need to add the vpn client ip pool subnet to accesslist 100 on pix1 which is used in the crypto map for LAN to LAN between PIX1 and PIX2/PIX3 right?
Thk you for the reminder on the split tunneling portion too!!
10-03-2010 01:37 AM
On PIX1: ACL 100 should include the following (which is the static lan-to-lan towards PIX3):
access-list 100 permit ip
On PIX3: crypto ACL towards PIX1 should include the following:
access-list
Also on PIX3, you would need to remember adding NAT exemption:
access-list
For the dynamic to static LAN-to-LAN (between PIX1 and PIX2), you only need to configure PIX2:
On PIX2, ACL 100 should include the following:
access-list 100 permit ip 10.20.20.0 255.255.255.0
On PIX2, NAT exemption:
access-list
Hope that answers your question.
10-03-2010 02:39 AM
Hi Don,
Please kindly mark all posts answered if you have no more question. Thanks.
10-03-2010 06:15 AM
Hi Jennifer,
I have marked the post. Thk you!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide