06-09-2013 01:56 PM
hi there,
Am trying to create a second VPN connection on our companies cisco PIX. It almost works but I am having problems getting the nat rules to work for both VPNs.
The config is attached but the key areas are below.
access-list LeasedLine_20_cryptomap extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0
access-list LeasedLine_40_cryptomap extended permit ip object-group LAN_subnet object-group InsightLAN
nat (inside) 0 access-list LeasedLine_20_cryptomap
nat (inside) 101 192.168.60.0 255.255.255.0
nat (DMZ) 101 172.30.60.0 255.255.255.0
nat (GM3) 101 192.168.70.0 255.255.255.0
crypto map LeasedLine_map 20 match address LeasedLine_20_cryptomap
crypto map LeasedLine_map 20 set peer 161.xxx.106.34
crypto map LeasedLine_map 20 set transform-set ESP-3DES-MD5
crypto map LeasedLine_map 40 match address LeasedLine_40_cryptomap
crypto map LeasedLine_map 40 set peer 213.xxx172.253
crypto map LeasedLine_map 40 set transform-set ESP-AES-128-SHA
The problem I have is with the nat (inside) 0 command. If I add the command
nat (inside) 0 access-list LeasedLine_40_cryptomap the 2nd VPN (insight) works but the first one stops working.
Can anyone help me to get this working?
Cheers,
Al
Solved! Go to Solution.
06-09-2013 02:11 PM
Hi,
You cant have multiple configurations which have "nat (inside) 0 access-list"
Instead of this you use a single ACL to define the traffic you dont want to NAT. Or for which you want to do NAT0 for.
So you can do this for example
access-list INSIDE-NAT0 extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0
access-list INSIDE-NAT0 extended permit ip object-group LAN_subnet object-group InsightLAN
nat (inside) 0 access-list INSIDE-NAT0
And both connections should work just fine.
If you ever happened to configure a third VPN connection for example you would simply add another line to the same ACL.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-09-2013 02:11 PM
Hi,
You cant have multiple configurations which have "nat (inside) 0 access-list"
Instead of this you use a single ACL to define the traffic you dont want to NAT. Or for which you want to do NAT0 for.
So you can do this for example
access-list INSIDE-NAT0 extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0
access-list INSIDE-NAT0 extended permit ip object-group LAN_subnet object-group InsightLAN
nat (inside) 0 access-list INSIDE-NAT0
And both connections should work just fine.
If you ever happened to configure a third VPN connection for example you would simply add another line to the same ACL.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-09-2013 02:19 PM
Thats awesome. Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide