Solved

understanding asa config statement

Posted on 2014-09-25
4
453 Views
Last Modified: 2014-09-26
Hello,

Im creating a vpn tunnel and here is the config below from the ASA. Next to some of the statements I wrote in parenthesis what I'm thinking each statement actually means, I think I have a pretty good idea but I would appreciate any help in someone explaining anything I'm missing or explaining it better. Thanks.

 

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1

(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?


nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_http tcp_http no-proxy-arp
nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_https tcp_https no-proxy-arp

(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set AES-256_SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?
0
Comment
Question by:tolinrome
  • 2
  • 2
4 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40344807
(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Mmm DM_INLINE_TCP_1 is more likely to be a group with some ports in it. This ACL (if used for VPN, never assume) will encrpt all traffic from 10.10.10.0/24 going anywhere.

Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Yes;

no access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
then
access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any


(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)

I know its confusing! Its called twice NAT - normally you get the source listed twice and the destination listed twice, this means DONT NAT
See my article below
Cisco ASA 5500 Site to Site VPN (From CLI)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)

Bingo! it means if the traffic matches then 'Fire' this cryptomap and encrypt traffic again see the link above.

crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?

Right again!

PL
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346118
Sorry, I copied "DM_INLINE_TCP_1" instead of "object-group network DM_INLINE_NETWORK_1".

So why does the access list have the object name after the any?

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40346618
Becase the syntax of an ACL is

access-list name permit/deny type source destination port/type

So 10.10.10.0 255.255.255.0 is the source
any is the destination
object-group DM_INLINE_TCP_1 will be an object group with some ports in it

do a show run, DM_INLINE_TCP_1 will be in the top third with some port-object in it

Pete
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346679
Thank you.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now