For the L2L tunnel between 2ASAs to work fine, we normally configure same network to network - nonat & cryptos ACls on both ends of the ASAs. My question is...
will it work with no issues, if on one end ASA, the nonat & crypto ACLs are combined into object-group (to limit ASA configs) and on the other end the net address to net address nonat & crypto ACLs still exists (not consolidated into object group)..? If it works, does this work even if the tunnel is between ASA--> Router.
Thank you in advance
This should work fine. The object-group will simply be expanded when the 2 peers negotiate the local and remote networks. As long as the object-group entries match the other ends net entries it should all work.
Should be same for router as well.
Hope i've understood your question.
MS, it will work if other side does not use the same consolidated acl scenario using object-groups. The acls and object-groups are locally significant to the device.
You can consolidate the acls on the ASA/PIX using TCP or UDP object-groups or network object groups and point your acl to the respective object-group they still have the same effect as when they were configured individually line by line.
does this work even if the tunnel is between ASA--> Router