Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
1
Replies

Access list questions NAT and VPN

Martinus P. J. Moerman
Level 1
Level 1

‎03-19-2014 02:28 AM - edited ‎03-04-2019 10:36 PM

Hello,

I have a 887 running as a NAT router for a local office, and also as VPN device to the main office.

Our internal network has network 192.168.168.0 and the rest of the 192.168.x.x is accessible via the main office VPN .

How to configure the correct Access list.

Currenlty I have the following access list entries

100 is my nat interface

101 is my vpn interface to main office

ip nat inside source static tcp 192.168.168.100 1352 interface FastEthernet4 1352

ip nat inside source list 100 interface FastEthernet4 overload

!
access-list 100 deny   ip 192.168.168.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny   ip 192.168.168.0 0.0.0.255 192.168.171.0 0.0.0.255
access-list 100 deny   ip 192.168.168.0 0.0.0.255 192.168.169.0 0.0.0.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 any
access-list 101 permit ip 192.168.168.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 192.168.168.0 0.0.0.255 192.168.171.0 0.0.0.255
 

How to arrange that all traffic of 192.168.x.x goes over the VPN and that all other traffic goes to internet.

Do I have to put all deny rules for all networks, or is there a shortcut to do this ?

 

 

 

Labels:
0 Helpful
1 Reply 1

shamax_1983
Level 3
Level 3

‎03-19-2014 12:18 PM

You NAT ACL should be,

 

access-list 100 deny  ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 any

 

Your Crypto ACL should be,

access-list 101 permit ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255


 So this is how it works, when outbound packet hits the internal interface it will check the routing table and will pick the default gateway route via your Internet link.

We have NAT outside enabled on that interface...  It will then check if the NAT ACL passes.. in your case only the traffic from local subnet to other places excluding the Main office range will be permitted for NAT.. so if your packet is destined to internet it will then get NAT/PAT'ed out.

If the packet is destined to the main office, it will NOT get NAT'ed and will proceed and will see the Crypto MAP configured on the outside interface... will check the Crypto ACL.. which is a pass.. this will then get encrypted and be sent through the IPSec tunnel.

It is important to make sure that you have the mirrored Crypto ACL configured on the Main office side.. otherwise you will run in to issues.

Hope this helps.. let me know if you need more information on this..

Please don't forget to rate helpful answers.. :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card