The crypto map acl should

amardram123 · ‎10-14-2015

(my VPN device)== (my edge fw) ==> Customer VPN fw

ASA 8.2 ==> ASA ==> customer ASA

let's consider my LAN ip= 172.20.1.1/32 natted to 20.20.x.20/32 before sent to customer. it's nated on my VPN device.

and vpn device's outside IP 172.20.2.1/32 is natted to 20.20.x.15/32 on my edge firewall.

let's assume other end LAN IP is 100.100.x.x/24

I have a requirment where i need to configure VPN and hide my internal ip to customer through it. design given as above.

will the intresting acl should contain natted ip or pre-nat IP ?

which interesting traffic ACL will work, considering its running 8.2?

access-list VPN extended permit ip host 20.20.x.20 100.100.x.x 255.255.255.0

or i need to use

access-list VPN extended permit ip host 172.20.1.1 100.100.x.x 255.255.255.0

thanks

AD

Jon Marshall · ‎10-14-2015

In your example the crypto map acl should reference the 20.20.x.20 IP.

Jon

amardram123 · ‎10-15-2015

Thanks Jon,

Does the proxy acl change if i am using 8.2 and 8.3 ?

thanks

AD

Jon Marshall · ‎10-15-2015

Do you mean the crypto map acl ?

If so then as far as I know there is no difference, you still reference the same IP.

Jon

amardram123 · ‎10-15-2015

yes crypto ACL/interesting traffic.

Thanks Jon, for the info.. got rusty on security stuff :-(

NAT with Site-to-site VPN on ASA/ doubt on intresting traffic