I am in the process of migrating tunnels off an ASAs running 8.2 code at a customers former data center. The tunnels will be moving to an another ASA running 8.4.2 code. The vendor side equipment ranges from ASAs to Junipers and I don’t have access to them. The majority of the tunnels require either NAT or PAT due to private addresses. Just as a precaution before I migrate all the tunnels I thought I would get a second set of eyes on two of the config files that require the interesting traffic to have a NAT or PAT. The IP have been changed to protect the innocent. So the pointy end of the stick is ... Are the config correct? Phase 1 has already been defined on the ASA and is working fine for the simpler tunnels.
First is just a static NAT name 5.6.7.8 VendorName object-group network VendorName-R network-object host 192.168.1.10 object-group network VendorName-NAT-R network-object host 10.1.0.2 object-group network VendorName-L network-object host 10.1.1.3 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R destination static VendorName-R VendorName-R crypto map vpnmap 10 match address VendorName-crypto crypto map vpnmap 10 set peer VendorName crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA tunnel-group 5.6.7.8 type ipsec-l2l tunnel-group 5.6.7.8 ipsec-attributes ikev1 pre-shared-key cryptosecretkey route outside 192.168.1.10 255.255.255.255 8.8.8.8 1 Second config name 5.6.7.8 VendorName object-group network VendorName-R-1 network-object subnet 192.168.1.0 255.255.255.0 object-group network VendorName-R-2 network-object subnet 192.168.2.0 255.255.255.0 object-group network VendorName-R-3 network-object host 192.168.1.20 object-group network VendorName-R-4 network-object host 192.168.1.21 object-group network VendorName-NAT-R-1 network-object host 10.1.0.2 object-group network VendorName-NAT-R-2 network-object host 10.1.0.3 object-group network VendorName-NAT-R-3 network-object host 10.1.0.4 object-group network VendorName-NAT-R-4 network-object host 10.1.0.5 object-group network VendorName-L network-object host 10.1.1.3 network-object host 10.1.1.6 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R-1 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R-2 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R-3 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R-4 nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-1 destination static VendorName-R-1 VendorName-R-1 nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-2 destination static VendorName-R-2 VendorName-R-2 nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-3 destination static VendorName-R-3 VendorName-R-3 nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-4 destination static VendorName-R-4 VendorName-R-4 crypto map vpnmap 290 match address VendorName-crypto crypto map vpnmap 290 set peer VendorName crypto map vpnmap 290 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 tunnel-group 5.6.7.8 type ipsec-l2l tunnel-group 5.6.7.8 ipsec-attributes ikev1 pre-shared-key cryptosecretkey route outside 192.168.1.0 255.255.255.0 8.8.8.8 1 route outside 192.168.1.0 255.255.255.0 8.8.8.8 1 The acl on the second config as I understand can be shortened by the following, is it recommended however? object-group network VendorName-R network-object object VendorName-R-1 network-object object VendorName-R-2 network-object object VendorName-R-3 network-object object VendorName-R-4 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R I apologize if this is the wrong list and appreciate everyone's time for take a look and responding. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
