We have this nat for vpn users
nat (inside) 0 access-list nonat_pool --------------------current nat for vpn
Also i need IPsec connection for vendor traffic where we do not want nat inside traffic
nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel
How will this work?
Do it has to be in certain order?
Solved! Go to Solution.
here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?
if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.
crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 3600 ! crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac ! tunnel-group 172.24.32.115 type ipsec-l2l tunnel-group 172.24.32.115 ipsec-attributes pre-shared-key xxxxxx ! access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3 ! nat (inside) 0 access-list LAN_Traffic crypto map VPNCMAP 20 match address LAN_Traffic crypto map VPNCMAP 20 set peer 172.24.32.115 crypto map VPNCMAP 20 set transform-set L2L !