Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
5
Helpful
2
Replies

Cisco ASA tunnel access-list question

Go to solution
dpatkins
Level 1
Level 1

‎08-05-2014 09:29 AM

We have created an IPSec site to site tunnel . Originally only two IP address were authorized to access the tunnel.  Now they are asking for all addresses.  My question is, if I use access-list inside_access_in extended permit ip any host 10.60.55.10, do I also need to do a NAT statement that permits this?

And when we modify the Site to Site VPN connection profile, I am going to have to allow any across this tunnel as well, correct?

 

Thank you and hope this makes sense.  We were originally thinking policy based routing on core closest to the source.

 

Dwane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-05-2014 10:38 AM

Hi Dwane,

 

If you used NAT then i say yes you need to consider NATing.... Normally in a private LAN over L2L scenario you could have used no-nat..... if you have identical LAN at both ends then you could have NATed to a diff subnets on both ends.... if you use NAT over public IP then it will be on public IP based L2L..... So it depends on your present setup.....

 

If you use any to 10.60.55.10 (then from your site any subnet that flows through the VPN firewall towards 10.60.55.10 is allowed... here you might need to modify NAT as source any....

 

But the problem come from the other end..... for them the source will be 10.60.55.10 and destination would be any.... so all the traffic initiated from host 10.60.55.10 will be taken through tunnel.....

So instead of making a statement as any you make it to its respective super nets 172.16.0/16 for example.....

 

Regards

Karthik

View solution in original post

2 Replies 2

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-05-2014 10:38 AM

Hi Dwane,

 

If you used NAT then i say yes you need to consider NATing.... Normally in a private LAN over L2L scenario you could have used no-nat..... if you have identical LAN at both ends then you could have NATed to a diff subnets on both ends.... if you use NAT over public IP then it will be on public IP based L2L..... So it depends on your present setup.....

 

If you use any to 10.60.55.10 (then from your site any subnet that flows through the VPN firewall towards 10.60.55.10 is allowed... here you might need to modify NAT as source any....

 

But the problem come from the other end..... for them the source will be 10.60.55.10 and destination would be any.... so all the traffic initiated from host 10.60.55.10 will be taken through tunnel.....

So instead of making a statement as any you make it to its respective super nets 172.16.0/16 for example.....

 

Regards

Karthik

Go to solution
dpatkins
Level 1
Level 1
In response to nkarthikeyan

‎08-25-2014 02:08 PM

Good afternoon,
 

I appreciate the quick responses but I am confused on the proper syntax.  I have been looking at dynamic NAT all day.  I am hoping this is where I would need to look.

 

I would like to allow any ip address on our local network that is destined for 3 IP addresses on a report site to go through the ASA, be natted to a 10.254.254.0 subnet dynamically.  So I guess what I could do is take 10.254.254.10 - 10.254.254.250 and make it a NAT pool for this process and then take 10.254.254.254 and make it a PAT address just in case we run out of address space.  

 

What is the proper syntax to configure this?  

Is it nat (any, outside) 3 any any 10.254.254.0 10.254.254.0 ?

 

Thank you for your assistance.

 

Dwane

0 Helpful
Customers Also Viewed These Support Documents