Hi All
I could do with a little help in understanding this:
I am labbing a setup with
public subnet private subnet
R1 (SP) ----------------------R2 (NAT) -------------------------R3 (CPE)
f/10 f1/0 outside f1/1 inside f1/0
A tunnel will be setup between R1 and R3 and the private subnet will
be NATd to the outside interface on R2.
I have a few points i am confused with:
1) when I apply an access-list to the crypto map I dont know which
addresses it should reference
e.g.
on R1 my ACL would read:
ip access-list extended Customer
permit gre host (ip of R1 f1/0) host (ip of R2 f1/0)
I read it like this because R3s address will be NATd to the f1/0 address of R2.
However this means that the matching ACL on R3 looks strange/incorrect
if it is going to match.
I read the R3 ACL like this:
ip access-list extended Customer1
permit gre host (ip of R2 f1/0) host (ip of R1 f1/0)
Can someone explain/guide me as to what addresses I would reference in
these ACLs. It is boggling my mind.
2) given that we are NATing when i create the isakmp profiles what
would I use for the match identity address statments on
each side. I am new to the match identity statement. I have read about
it but do not fully understand what addresses I can
use. I am also assuming that these addresses are not meant to be the
same on each side?
I have labbed this up but got myself in a horrible mess because I
wasnt sure which addresses to use in which ACLs etc.
I know there are a lot of questions but I would really appreaciate any
help you guys can provide.
Thanks.
Blogs and organic groups at http://www.ccie.net
Received on Tue May 24 2011 - 08:23:39 ART
This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART