06-27-2010 06:15 PM
Hi All,
Please find my requirements below & the test results.
Existing Setup
Requirement
static (inside,outside) 10.1.1.1 access-list CLIENT_VPN_Policy_NAT
access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1
access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1
Test Results
Problem
Question
I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1
07-08-2010 06:42 AM
This is the default behavior of Policy NAT. For incoming traffic, it won't consider the source IP mentioned in the Policy NAT ACL.
As a workaround you need to apply filtering via access-lists. By default there is no ACL check for VPN traffic, you have to enable it via sysopt commands.
Alternateively you can put an outbound ACL on the inside interface, allowing access to 10.1.1.2 from the 192.168.1.1 client only. Don't forget to permit eveything else in the end of the ACL
Regards
Farrukh
07-08-2010 06:55 AM
Thanks Farrukh. Let me try this & shall get back to you some time during next week.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide