Robert, the first example(example#0) of "how to use an extended-acl" to do what a prefix-list *construct* means is *correct*
Examples 1,2 3are wrong.
In example#3 your prefix-list is:
ip prefix-list cisco seq 10 permit 10.250.0.0/16 le 24 ge 17
The c...
The inbound-acl applied to lower-security interface will reference the real destination-IP not the mapped-IP.
So the order: NAT(untranslate), consult acl and if allowed, route to real-destination.
Return traffic doesn't need to be explicitly allowed ...
great doc by Jouni. I want to add to the NAT table sectioning since I still get a lot of questions about just that.I have come to realise that section 2 (auto-NAT/object NAT) and it's purpose causes the most confusion given the presence of 1 and 3. O...
The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel int...