We help IT Professionals succeed at work.

Objects in Cisco ASA

238 Views
Last Modified: 2017-04-28
I have a remote situation where we have 65 small retail stores and 4 regional offices all connected via IPSec tunnel back to the corporate data center.  Everything is working great.  What I am looking to do is re-configure the Corporate ASA just to make the code easier to manage and even read.

However, the Cisco ASA IOS is not doing what I want to do in handling objects, and it may be that it just will not work.  What I want to do is use objects to create a single VPN "match address" in the crypto map definition and then just have it search through the IPsec "peers" listed in the crypto map set peer command to find the correct peer and establish the tunnel.

Here is a small code example of what is WORKING, and below that is what I want to which is not working.
object network GKY-CORP-LAN
  subnet 172.20.0.0 255.255.0.0
  description This is the Corporate Data Center
object network GKY-BGRO-LAN
 subnet 172.23.0.0 255.255.0.0
 description This is the Regional Office
object network GKY-TVILLERD
 subnet 10.5.21.0 255.255.255.0
object network GKY-NORTHFIELD
 subnet 10.5.24.0 255.255.255.0
object-group network GKY-STORES
 network-object object GKY-TVILLERD
 network-object object GKY-NORTHFIELD
object-group network IPSec-Sites
 network-object object GKY-BGRO-LAN
 group-object GKY-STORES

access-list VPN_GKY-BGRO-LAN extended permit ip object GKY-CORP-LAN object GKY-BGRO-LAN
access-list VPN_GKY-TVILLERD extended permit ip object GKY-CORP-LAN object-group GKY-STORES
access-list VPN_GKY-NORTHFIELD extended permit ip object GKY-CORP-LAN object-group GKY-STORES

nat (inside,outside) source static GKY-CORP-LAN GKY-CORP-LAN destination static IPSec-Sites IPSec-Sites no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set gkyset1 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set gkyset2 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set gkyset3 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map gkymap 40 match address VPN_GKY-BGRO-LAN
crypto map gkymap 40 set peer 208.80.208.179
crypto map gkymap 40 set ikev1 transform-set gkyset3 gkyset2 gkyset1
crypto map gkymap 5223 match address VPN_GKY-NORTHFIELD
crypto map gkymap 5223 set peer 60.60.178.62
crypto map gkymap 5223 set ikev1 transform-set gkyset3 gkyset2 gkyset1
crypto map gkymap 5231 match address VPN_GKY-TVILLERD
crypto map gkymap 5231 set peer 60.62.154.55
crypto map gkymap 5231 set ikev1 transform-set gkyset3 gkyset2 gkyset1
crypto map gkymap interface outside

(and then I have the associated tunnel groups set up).

But here is what I *want* to do.  Remove the two lines of:

access-list VPN_GKY-TVILLERD extended permit ip object GKY-CORP-LAN object-group GKY-STORES
access-list VPN_GKY-NORTHFIELD extended permit ip object GKY-CORP-LAN object-group GKY-STORES

and add this line instead

access-list VPN_GKY-STORES extended permit ip object GKY-CORP-LAN object group GKY-STORES

And then remove the two crypto definitions for the stores and combine them into one crypto definition like below:

crypto map gkymap 5000 match address VPN_GKY-STORES
crypto map gkymap 5000 set peer 60.62.154.55 60.60.178.62
crypto map gkymap 5000 set ikev1 transform-set gkyset3 gkyset2 gkyset1

The only part of this that does not work, is that it finds only the first peer and never switches the second to make the other IPSec tunnel connection.

IS there a way to make the Cisco ASA search through the peer list to find the correct peer to develop the correct tunnel?

Thank you in advance for any help
Jeff
Comment
Watch Question

Technical Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hi Pete,
I thought that was case.  It would really be nice if in a future release of the IOS you could have it search through.

Just makes management a little easier that way.

Thank you!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.