08-23-2012 10:27 AM - edited 03-11-2019 04:45 PM
i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did
isakmp key ******** address 208.39.107.230 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 208.39.107.230
crypto map outside_map 60 set transform-set ESP-3DES-SHA-1
i have one question that i need to use physical subnet or nat subnet for crypto map acl?
and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?
08-23-2012 11:27 AM
Hello Ronald,
I might not understand your question but let me try to answer this for you:
On the crypto ACL you will set the traffic that needs to be encrypted ( in this case the LOCAL area networks of each side)
Now remember that you need to exclude this traffic on each side to being natted ( so it should not get translated if its goes inside the tunnel unless desired)
Regards,
Rate the helpful posts
08-23-2012 11:33 AM
my 3845 router physical ip is 192.133.193.242 and subnet /29
so i have to make cryto map acl on my pix
access-list name permit ip 10.200.200.0/24 216.46.255.0/26 or
access-list name permit ip 192.133.193.242/29 216.46.255.0/26
i want to know also same for customer side.
08-23-2012 11:37 AM
Hello Ronak,
Please check the following diagram
192.168.12.0/24---Router----4.0.0.0-------ISP---------80.80.80.0---ASA------192.168.100.0/24
So the Crypto ACL on the router should be
ip access-list extended crypto_acl
permit ip 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255
On the ASA
access-list crypto_acl permit ip 192.168.100.0 0.0.0.255 192.168.12.0 0.0.0.255
I hope this helps,
Rate all the helpful posts
08-23-2012 11:52 AM
my router is directly connected with pix
08-23-2012 12:17 PM
Hello Ronak,
It should be the same but just in case can you set up a diagram,
Regards,
Julio
08-23-2012 12:22 PM
router-pix-internet-customer router
tunnel is terminating on pix.
08-23-2012 12:26 PM
Hello Ronald,
Is the same than my topology.
Just that you need to include into the crypto ACL if required the traffic from the subnet behind the router ( behind the asa) to the other customer router.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide