Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
3
Replies

inbound-vpn-crypto

Shibu1978
Level 1
Level 1

‎11-24-2013 12:55 PM

Hi All,

We have a working site to site vpn between 2 location.  bascially site A is only accessing servers at site B.  there is no access back to site A from site B.

Now there is a requirement to access a server at site A from site B.

Please find below the specifi current configuration at site A  & planned new configs.

Current Vpn configuration at site A ASA

ASA Version 8.3(1)

==============

object network hsdp_vpn_ip

host 84.*.*.90

description hsdp vpn ip  

object-group network lsdp_svr

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

network-object host 212.*.*.*

object-group network m4com_svr

network-object host 10.10.2.11

network-object host 10.10.2.12

network-object host 10.10.2.13

network-object host 10.10.2.14

network-object host 10.10.2.16

network-object host 10.10.2.17

network-object host 10.10.2.18

access-list DMZ_access_in extended permit ip any any

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

access-list l2l_list extended permit ip host 84.*.*.90 host 212.*.*.*

nat (DMZ,outside) source dynamic m4com_svr hsdp_vpn_ip destination static lsdp_svr lsdp_svr description pat rule to lsdp services

===========================================

Planned configuration for new requirement at site A ASA

==================================

object network kftp_svr

host 10.10.2.50

object network kftp_trans

host 84.*.*.160

object-group network mftp_clt0

network-object host 212.*.*.152

network-object host 212.*.*.153

network-object host 212.*.*.154

network-object host 84.*.*.150

network-object host 84.*.*.151

access-list l2l_list extended permit ip host 84.*.*.160 object-group mftp_clt0

nat (DMZ,outside) source dynamic kftp_svr kftp_trans destination static mftp_clt0 mftp_clt0

To failitate server access to site A from site B  does the above planned configs works? or i shud change the Nat as below or anyother to be added

nat (DMZ,outside) source static kftp_svr kftp_trans destination static mftp_clt0 mftp_clt0.

Please let me know.

Thanks

Labels:
0 Helpful
3 Replies 3

Shibu1978
Level 1
Level 1

‎11-24-2013 02:32 PM

Hi,

Could you please response to this? hope i made it understand my requirement.

thanks

0 Helpful

Shibu1978
Level 1
Level 1
In response to Shibu1978

‎11-25-2013 12:36 AM

Dear All,

I am bit confused on the Nat part on 8.3.1 version. basically my current requirement( pl see on top as new requirement) is the below which i will configure it in 8.2(5). Kindly help to convert it in 8.3.1 format.

object-group network mftp_clt0

network-object host 212*.*.152

network-object host 212*.*.153

network-object host 212*.*.154

network-object host 84.*.*.150

network-object host 84.*.*.151

access-list INSIDE_nat0_outbound extended permit ip host 84.*.*.160 object-group mftp_clt0-  Nat0 ACL

access-list outside_80_cryptomap extended permit ip host 84.*.*.160 object-group mftp_clt0  -  Crypto ACL to the Peer

static (DMZ,OUTSIDE) 84.*.*.160 10.10.2.50 netmask 255.255.255.255  - Static nat

Thanks in advance

0 Helpful

Shibu1978
Level 1
Level 1
In response to Shibu1978

‎11-25-2013 07:16 AM

any updates on this would be appreciated .

do u require any more info from my side pl let me know.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents