Solved: VPN Access-list

xayavongp · ‎09-06-2012

I understand the basic configuration for a VPN traffic and you don't want to NAT it.

access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Make sure NAT is not applied to traffic passing across the VPN tunnel:

nat (inside) 0 access-list ACL_1

But I don't see where (from samples) it does not get apply to the inside interface. Could someone explain why that is so ?

access-group ACL_1 in interface inside

Thanks,

Pete

Javier Portuguez · ‎09-06-2012

Hi Pete,

Basically you need:

The crypto ACL:

access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The NAT exempt rule:

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

No need for an access-group.

Remember that the ASA has the "sysopt connection permit-vpn" command enabled by default, which basically allows any traffic coming over a VPN tunnel to bypass the outside ACL.

Please let me know if this answer your question.

Thanks.

Portu.

Please rate any post you find useful.

View solution in original post

Javier Portuguez · ‎09-06-2012

Hi Pete,

Basically you need:

The crypto ACL:

access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The NAT exempt rule:

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

No need for an access-group.

Remember that the ASA has the "sysopt connection permit-vpn" command enabled by default, which basically allows any traffic coming over a VPN tunnel to bypass the outside ACL.

Please let me know if this answer your question.

Thanks.

Portu.

Please rate any post you find useful.