Showing results for 
Search instead for 
Did you mean: 

Access list questions NAT and VPN


I have a 887 running as a NAT router for a local office, and also as VPN device to the main office.

Our internal network has network and the rest of the 192.168.x.x is accessible via the main office VPN .

How to configure the correct Access list.

Currenlty I have the following access list entries

100 is my nat interface

101 is my vpn interface to main office

ip nat inside source static tcp 1352 interface FastEthernet4 1352

ip nat inside source list 100 interface FastEthernet4 overload

access-list 100 deny   ip
access-list 100 deny   ip
access-list 100 deny   ip
access-list 100 permit ip any
access-list 101 permit ip
access-list 101 permit ip

How to arrange that all traffic of 192.168.x.x goes over the VPN and that all other traffic goes to internet.

Do I have to put all deny rules for all networks, or is there a shortcut to do this ?





You NAT ACL should be,


access-list 100 deny  ip
access-list 100 permit ip any


Your Crypto ACL should be,

access-list 101 permit ip

 So this is how it works, when outbound packet hits the internal interface it will check the routing table and will pick the default gateway route via your Internet link.

We have NAT outside enabled on that interface...  It will then check if the NAT ACL passes.. in your case only the traffic from local subnet to other places excluding the Main office range will be permitted for NAT.. so if your packet is destined to internet it will then get NAT/PAT'ed out.

If the packet is destined to the main office, it will NOT get NAT'ed and will proceed and will see the Crypto MAP configured on the outside interface... will check the Crypto ACL.. which is a pass.. this will then get encrypted and be sent through the IPSec tunnel.

It is important to make sure that you have the mirrored Crypto ACL configured on the Main office side.. otherwise you will run in to issues.

Hope this helps.. let me know if you need more information on this..

Please don't forget to rate helpful answers.. :)