Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I am trying to create a PCI zone inside a network. I am using a 1941 with security and ZFW to restrict traffic. PCI can go out to ASA and across to LAN. LAN can go to ASA but not to PCI, finally ASA can go back to both PCI and LAN to send natted traf...
I have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client sid...
I need to NAT the DMZ vlan to a non interface IP for internet access.I was thinking of doing a static commandstatic (DMZ,outside) 192.168.1.1 1.2.3.4 255.255.255.255or if I need to do a global nat?global (DMZ) 2 <external IP>nat (DMZ) 0 access-list N...
i had forgotten about this post!PCI to LAN is allowed, LAN to PCI is not.I played with the ACL's and have had it working. I'm marking your answer correct, as it does correct the one ACL issue I was having with assignment of the directions. Thanks for...
it's supposed to, but we can't get it to work for inbound PAT, so we just have 30 object lines.object network EXCH-WEBobject network EXCH-SMTPetc..thanks again, I knew I could probably nat to external IP per port, then send down VPN (I've done that ...
I'm not even going to try to mess with it in 8.2 or older. I've done nat -> vpn on it before for vendor VPNs requiring specific source IPs. not fun, much easier on 8.4.I'll take your advice and do seperate nats for each service instead of a service ...
I see that it keeps the IP when it NATs to the port 80. How would I get that down a VPN.Normal VPN nat (as below) will ensure defined interesting traffic doesn't global nat and tries to go down the defined VPN tunnel.8.2: access-list nonat extended...
So the only way is to nat before the VPN. I didn't want to have to do that, as then we can't define source traffic per the radius auth the ISP is using to match IP traffic to user. If we nat then pump down the tunnel, all the traffic is from a singl...
