Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505/5510 9.12 Config questions

Hello all,

I have several ASA 5505s at different sites and a 5510 at our main office.  Recently, I upgraded them all from ASA 7.24 to 9.12.  I was able to convert the configs and get everything working but I have some questions.  I inherited this responsibility from an ex-employee and know enough about Cisco gear to be dangerous. I always thought that the configs had un-needed commands but I’m not really sure. First, we have ACLs…

access-list inside_access_in extended permit tcp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit udp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit icmp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit ip object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit tcp object obj-192.168.5.0 any4
access-list inside_access_in extended permit udp object obj-192.168.5.0 any4
access-list inside_access_in extended permit icmp object obj-192.168.5.0 any4
access-list inside_access_in extended permit ip object obj-192.168.5.0 any4

Is it really necessary to call out each protocol this way? I don’t think it is, but again….dangerous!

The next thing is NAT…

nat (inside,outside) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

nat (outside,inside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup

nat (inside,outside) source dynamic obj_any interface


Are the (outside, inside) & (outside,outside) necessary? Again, I don’t think so, but I’m not sure.

These are working configs, so I know that functionally they are are fine.  I would just like to clean up the code, if possible.

Thanks for any help!!

Tim

2 REPLIES
Super Bronze

ASA 5505/5510 9.12 Config questions

Hi,

Does seem that the ACL has useless rules

You could simply have the "permit ip" statements and would not need the TCP/UDP/ICMP ones at all.

access-list inside_access_in extended permit tcp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit udp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit icmp object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit ip object obj-192.168.5.0 object obj-192.168.0.0
access-list inside_access_in extended permit tcp object obj-192.168.5.0 any4
access-list inside_access_in extended permit udp object obj-192.168.5.0 any4
access-list inside_access_in extended permit icmp object obj-192.168.5.0 any4
access-list inside_access_in extended permit ip object obj-192.168.5.0 any4

With regards to the NAT configurations, I don't think you need the same configuration both ways. One of those configurations already works for both directions.

nat (inside,outside) source static obj-192.168.5.0  obj-192.168.5.0 destination static obj-192.168.0.0 obj-192.168.0.0  no-proxy-arp route-lookup

nat (outside,inside) source  static obj-192.168.0.0 obj-192.168.0.0 destination static  obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp

I would typically configure only the one with "inside,outside"

The below configurations purpose I am not really sure about.

nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0  destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp  route-lookup

Typically I would see this configuration used when traffic needs to flow between 2 VPN connections. However, when we look at the previous NAT configurations, they would seem to indicate that the 192.168.5.0 is located behind "inside" interface and because of this the above NAT rule doesnt really make sense.

I presume the NAT configuration is the result of the ASA automatically converting the configuration from the older software levels? (from 8.2 or below)

- Jouni

New Member

ASA 5505/5510 9.12 Config questions

That's what I was thinking.  I'll clean one up tonight and go from there.

It's possible the conversion created this stuff.  I'd have to look at the old config to see what's there.  Thanks for the input, it's much appreciated!

Tim

248
Views
0
Helpful
2
Replies
CreatePlease to create content