10-14-2015 07:53 AM
(my VPN device)== (my edge fw) ==> Customer VPN fw
ASA 8.2 ==> ASA ==> customer ASA
let's consider my LAN ip= 172.20.1.1/32 natted to 20.20.x.20/32 before sent to customer. it's nated on my VPN device.
and vpn device's outside IP 172.20.2.1/32 is natted to 20.20.x.15/32 on my edge firewall.
let's assume other end LAN IP is 100.100.x.x/24
I have a requirment where i need to configure VPN and hide my internal ip to customer through it. design given as above.
will the intresting acl should contain natted ip or pre-nat IP ?
which interesting traffic ACL will work, considering its running 8.2?
access-list VPN extended permit ip host 20.20.x.20 100.100.x.x 255.255.255.0
or i need to use
access-list VPN extended permit ip host 172.20.1.1 100.100.x.x 255.255.255.0
thanks
AD
10-14-2015 09:57 AM
In your example the crypto map acl should reference the 20.20.x.20 IP.
Jon
10-15-2015 12:40 AM
Thanks Jon,
Does the proxy acl change if i am using 8.2 and 8.3 ?
thanks
AD
10-15-2015 05:28 AM
Do you mean the crypto map acl ?
If so then as far as I know there is no difference, you still reference the same IP.
Jon
10-15-2015 05:48 AM
yes crypto ACL/interesting traffic.
Thanks Jon, for the info.. got rusty on security stuff :-(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide