[nsp] IPSec on Pix to Pix
Jarrod Baumann
jarrod at advmed.com
Mon Apr 28 19:37:55 EDT 2003
James,
#1 yes use the private local source and destination for the access-list that
will match the interesting traffic.
It sounds like to me you have the proper config, but maybe are lacking the
nat (inside) 0 cli command that tell it not to actually NAT the traffic so
that the crypto policy can then route it to the tunnel destination.
If you have only one crypto map policy then it would be sufficient to use
the same ACL for your nat 0 statement. If you have multiple VPN endpoints
then you will need to create a new acl defining the traffic for all vpn
tunnels.
Hope this helps.
Jarrod
kang
On Mon, 28 Apr 2003, James hampton wrote:
:The Pix does not seem to be encapsulating the "interesting packets". We are using NAT. My question is when I create the access-list which will define traffic to be encrypted, do I use the inside private addrs for local_source and destination (access-list ipsec 192.168.0.1 255.255.255.0 192.168.2.0 255.255.255.0) or do I use the private for the local_source and the global addr of the destination (access-list ipsec 192.168.0.1 255.255.255.0 64..X.X.X 255.255.255.0).
:
:Im using pre-share and the configs appear to be mirrored exactally and the traffic just isnt getting encrypted.
:
:James
:_______________________________________________
:cisco-nsp mailing list cisco-nsp at puck.nether.net
:http://puck.nether.net/mailman/listinfo/cisco-nsp
:archive at http://puck.nether.net/pipermail/cisco-nsp/
:
More information about the cisco-nsp
mailing list