12-01-2008 06:05 AM
Hi all,
For the L2L tunnel between 2ASAs to work fine, we normally configure same network to network - nonat & cryptos ACls on both ends of the ASAs. My question is...
will it work with no issues, if on one end ASA, the nonat & crypto ACLs are combined into object-group (to limit ASA configs) and on the other end the net address to net address nonat & crypto ACLs still exists (not consolidated into object group)..? If it works, does this work even if the tunnel is between ASA--> Router.
Thank you in advance
MS
Solved! Go to Solution.
12-01-2008 07:19 AM
MS, it will work if other side does not use the same consolidated acl scenario using object-groups. The acls and object-groups are locally significant to the device.
You can consolidate the acls on the ASA/PIX using TCP or UDP object-groups or network object groups and point your acl to the respective object-group they still have the same effect as when they were configured individually line by line.
does this work even if the tunnel is between ASA--> Router
Yes
HTH
Jorge
12-01-2008 09:00 AM
MS
This should work fine. The object-group will simply be expanded when the 2 peers negotiate the local and remote networks. As long as the object-group entries match the other ends net entries it should all work.
Should be same for router as well.
Hope i've understood your question.
Jon
12-01-2008 07:19 AM
MS, it will work if other side does not use the same consolidated acl scenario using object-groups. The acls and object-groups are locally significant to the device.
You can consolidate the acls on the ASA/PIX using TCP or UDP object-groups or network object groups and point your acl to the respective object-group they still have the same effect as when they were configured individually line by line.
does this work even if the tunnel is between ASA--> Router
Yes
HTH
Jorge
12-01-2008 09:03 AM
Hi Jorge
Sincere apologies as i could have sworn that nobody had answered this question but it looks like i missed your answer as the times the threads were posted are quite different.
Anyway, good thing we both agreed :-). Hope your'e well, found a new place in Bristol so will be moving at end of January next year.
Jon
12-01-2008 09:54 AM
My friend Jon, I never thought anything bad, the most logical thought I had was you must have seen the post empty..
You know I would never think wrong on you buddy..
Rgds
Jorge
12-01-2008 09:00 AM
MS
This should work fine. The object-group will simply be expanded when the 2 peers negotiate the local and remote networks. As long as the object-group entries match the other ends net entries it should all work.
Should be same for router as well.
Hope i've understood your question.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: