?
Solved

understanding asa config statement

Posted on 2014-09-25
4
Medium Priority
?
508 Views
Last Modified: 2014-09-26
Hello,

Im creating a vpn tunnel and here is the config below from the ASA. Next to some of the statements I wrote in parenthesis what I'm thinking each statement actually means, I think I have a pretty good idea but I would appreciate any help in someone explaining anything I'm missing or explaining it better. Thanks.

 

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1

(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?


nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_http tcp_http no-proxy-arp
nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_https tcp_https no-proxy-arp

(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set AES-256_SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40344807
(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Mmm DM_INLINE_TCP_1 is more likely to be a group with some ports in it. This ACL (if used for VPN, never assume) will encrpt all traffic from 10.10.10.0/24 going anywhere.

Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Yes;

no access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
then
access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any


(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)

I know its confusing! Its called twice NAT - normally you get the source listed twice and the destination listed twice, this means DONT NAT
See my article below
Cisco ASA 5500 Site to Site VPN (From CLI)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)

Bingo! it means if the traffic matches then 'Fire' this cryptomap and encrypt traffic again see the link above.

crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?

Right again!

PL
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346118
Sorry, I copied "DM_INLINE_TCP_1" instead of "object-group network DM_INLINE_NETWORK_1".

So why does the access list have the object name after the any?

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40346618
Becase the syntax of an ACL is

access-list name permit/deny type source destination port/type

So 10.10.10.0 255.255.255.0 is the source
any is the destination
object-group DM_INLINE_TCP_1 will be an object group with some ports in it

do a show run, DM_INLINE_TCP_1 will be in the top third with some port-object in it

Pete
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346679
Thank you.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question