• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

understanding asa config statement

Hello,

Im creating a vpn tunnel and here is the config below from the ASA. Next to some of the statements I wrote in parenthesis what I'm thinking each statement actually means, I think I have a pretty good idea but I would appreciate any help in someone explaining anything I'm missing or explaining it better. Thanks.

 

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1

(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?


nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_http tcp_http no-proxy-arp
nat (inside,outside) source static 10.10.10.0 10.10.10.0 service tcp_https tcp_https no-proxy-arp

(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set AES-256_SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?
0
tolinrome
Asked:
tolinrome
  • 2
  • 2
1 Solution
 
Pete LongTechnical ConsultantCommented:
(This access list shows the interesting traffic from the inside 10.10.10.0 network to anywhere. Why does it again show the object-group DM_INLINE_TCP_1 which is the inside network of 10.10.10.0)? Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Mmm DM_INLINE_TCP_1 is more likely to be a group with some ports in it. This ACL (if used for VPN, never assume) will encrpt all traffic from 10.10.10.0/24 going anywhere.

Is there a way to remove the "DM_INLINE_TCP_1" from the cli?

Yes;

no access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
then
access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any


(My goal is to not have the interesting traffic nated. So why does it sat "nat" and not "nat0"? Also since my source and destination address\network is the same does that mean it is nating its self, its own address?)

I know its confusing! Its called twice NAT - normally you get the source listed twice and the destination listed twice, this means DONT NAT
See my article below
Cisco ASA 5500 Site to Site VPN (From CLI)


crypto map outside_map 1 match address outside_cryptomap (this is the acl from line 1?)

Bingo! it means if the traffic matches then 'Fire' this cryptomap and encrypt traffic again see the link above.

crypto map outside_map interface outside (this is the interface in which the vpn extablishes or encrypts the traffic on)?

Right again!

PL
0
 
tolinromeAuthor Commented:
Sorry, I copied "DM_INLINE_TCP_1" instead of "object-group network DM_INLINE_NETWORK_1".

So why does the access list have the object name after the any?

access-list outside_cryptomap extended permit tcp 10.10.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
0
 
Pete LongTechnical ConsultantCommented:
Becase the syntax of an ACL is

access-list name permit/deny type source destination port/type

So 10.10.10.0 255.255.255.0 is the source
any is the destination
object-group DM_INLINE_TCP_1 will be an object group with some ports in it

do a show run, DM_INLINE_TCP_1 will be in the top third with some port-object in it

Pete
0
 
tolinromeAuthor Commented:
Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now