Solved

understanding asa config statement

Posted on 2014-09-25
4
480 Views
Last Modified: 2014-09-26
Hello,

Im creating a vpn tunnel and here is the config below from the ASA. Next to some of the statements I wrote in parenthesis what I'm thinking each statement actually means, I think I have a pretty good idea but I would appreciate any help in someone explaining anything I'm missing or explaining it better. Thanks.

 

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1

(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?


nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_http tcp_http no-proxy-arp
nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_https tcp_https no-proxy-arp

(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set AES-256_SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?
0
Comment
Question by:tolinrome
  • 2
  • 2
4 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40344807
(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Mmm DM_INLINE_TCP_1 is more likely to be a group with some ports in it. This ACL (if used for VPN, never assume) will encrpt all traffic from 10.10.10.0/24 going anywhere.

Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Yes;

no access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
then
access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any


(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)

I know its confusing! Its called twice NAT - normally you get the source listed twice and the destination listed twice, this means DONT NAT
See my article below
Cisco ASA 5500 Site to Site VPN (From CLI)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)

Bingo! it means if the traffic matches then 'Fire' this cryptomap and encrypt traffic again see the link above.

crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?

Right again!

PL
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346118
Sorry, I copied "DM_INLINE_TCP_1" instead of "object-group network DM_INLINE_NETWORK_1".

So why does the access list have the object name after the any?

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40346618
Becase the syntax of an ACL is

access-list name permit/deny type source destination port/type

So 10.10.10.0 255.255.255.0 is the source
any is the destination
object-group DM_INLINE_TCP_1 will be an object group with some ports in it

do a show run, DM_INLINE_TCP_1 will be in the top third with some port-object in it

Pete
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40346679
Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question