thanks for the reply..

1. when you say the crypto acl needs to match..do you mean ip address range allowed on 1 side needs to match the other

ex:

ip access-list abc extended permit ip host 10.10.10.10  10.10.20.0 255.255.255.0

shoud their side be

ip access-list abc extended permit ip 10.10.20.0 255.255.255.0 host 10.10.10.10

if for example, will this work:

ip access-list abc extended permit ip host 10.10.10.10  10.10.20.0 255.255.255.0

ip access-list abc extended permit ip host 10.10.10.100  10.10.20.0 255.255.255.0

shoud their side be

ip access-list abc extended permit ip 10.10.20.0 255.255.255.0 host 10.10.10.10

or does an access list is needed to allow 10.10.10.100 to get the tunnel up ?

also if i dont nat exempt then whats the default ?

Thanks

When i say crypto acl needs to match, I mean that if you are NATing your traffic, then the crypto ACL needs to match on the NATed address/subnet, and if you don't NAT, then crypto ACL needs to match the real ip subnet.

Your statement is also correct, you would also need to configure mirror image ACL on both end of the tunnel:

- If you have 2 lines of ACL on one side, the other side also needs to have 2 mirrored lines of ACL:

Eg:

Side-A:

ip access-list abc extended permit ip host 10.10.10.10  10.10.20.0 255.255.255.0

ip access-list abc extended permit ip host 10.10.10.100  10.10.20.0 255.255.255.0

Side-B:

ip access-list abc extended permit ip 10.10.20.0 255.255.255.0 host 10.10.10.10

ip access-list abc extended permit ip 10.10.20.0 255.255.255.0 host 10.10.10.100

For NAT exemption, it really depends on what is currently configured on your firewall, and whether there is any other NATing configured on the firewall.

there is nating configured on the firewall but that just for different subnet. not the ones for lan to lan tunnel.

there is also a dynamic NAT  which says any to any on the outside interface ? - which i take it as its NATing any address from inside to outside address (10.10.10.10) - is it correct ?

Thanks

If you have an existing nat statement on an interface, then you would need to configure NAT exemption if you don't want to NAT the traffic.

What version of firewall are you running? because depending on which version the syntax is different.

version 7.2

my confusion is i dont want to NAT the traffic as i still want them to access our network from 10.10.20.20 address...but just wondering if dont give a exempt NAT then will it NAT by default ?

also what does this statment do ?

nat dyanamic any (inside) any (outside) on the outside interface?

Thanks

If you don't want to NAT, then just configure NAT exemption.

Here is the sample configuration:

access-list nonat permit ip

nat (inside) 0 access-list nonat

I never actually see any command as stated:

nat dyanamic any (inside) any (outside) on the outside interface

Is this configuration on PIX or ASA version 7.2?

it should be something like this:

nat (inside) 1 0 0

global (outside) 1 interface

yes thats correct, i just expanded the statement

global (ouside) interface means ? does it mean any ip address will get NATed as the outside address?

Thanks

NAT statement is the command that determine which source subnet/ip address needs to be NATed:

nat (inside) 1 0 0

"0 0" basically means anything coming through from inside interface needs to be NATed.

The the Global statement means what IP Address it gets NATed to.

global (outside) 1 interface

means that it will get NATed to the outside interface ip address of the firewall

Nat and global statement comes in a pair with the sequence number.

From the above example, the sequence is 1 so those are the nat/global pair

Traffic coming from inside interface will get NATed to outside interface ip address.

thanks i have understtood now.

in my example, we are using internal addressing but outside firewall address or peer address is different

(We are using 172.16.x.x range inside and outside address of firewall is 10.x.x.x range but the other side are jut using 10.x.x.x range for their firewall and internal as well) - which means i will have to NAT my side and they dont have to ? isnt it ? please correct me if  i am wrong..also i dont NAT my side, will it still work ? (as my address will go outside as 172.16.x.x range)

Thanks

I am assuming that you would like to encrypt traffic from 172.16.x.x range from your inside, towards the remote subnet, ie: 10.x.x.x, right?

If this is the case, then you would need to configure the following:

access-list nonat permit ip 172.16.x.x 10.x.x.x

nat (inside) 0 access-list nonat

The above statement is to configure NAT exemption, ie: not NATing the traffic.

Here is a sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Hope this helps.