understanding asa config statement

Hello,

Im creating a vpn tunnel and here is the config below from the ASA. Next to some of the statements I wrote in parenthesis what I'm thinking each statement actually means, I think I have a pretty good idea but I would appreciate any help in someone explaining anything I'm missing or explaining it better. Thanks.

 

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1

(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?


nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_http tcp_http no-proxy-arp
nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_https tcp_https no-proxy-arp

(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set AES-256_SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?
LVL 7
tolinromeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Mmm DM_INLINE_TCP_1 is more likely to be a group with some ports in it. This ACL (if used for VPN, never assume) will encrpt all traffic from 10.10.10.0/24 going anywhere.

Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Yes;

no access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
then
access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any


(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)

I know its confusing! Its called twice NAT - normally you get the source listed twice and the destination listed twice, this means DONT NAT
See my article below
Cisco ASA 5500 Site to Site VPN (From CLI)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)

Bingo! it means if the traffic matches then 'Fire' this cryptomap and encrypt traffic again see the link above.

crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?

Right again!

PL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tolinromeAuthor Commented:
Sorry, I copied "DM_INLINE_TCP_1" instead of "object-group network DM_INLINE_NETWORK_1".

So why does the access list have the object name after the any?

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
0
Pete LongTechnical ConsultantCommented:
Becase the syntax of an ACL is

access-list name permit/deny type source destination port/type

So 10.10.10.0 255.255.255.0 is the source
any is the destination
object-group DM_INLINE_TCP_1 will be an object group with some ports in it

do a show run, DM_INLINE_TCP_1 will be in the top third with some port-object in it

Pete
0
tolinromeAuthor Commented:
Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.