Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
0
Helpful
4
Replies

L2L Tunnel between 2ASAs: General query on nonat/crypto acls

Go to solution
mvsheik123
Level 7
Level 7

‎12-01-2008 06:05 AM

Hi all,

For the L2L tunnel between 2ASAs to work fine, we normally configure same network to network - nonat & cryptos ACls on both ends of the ASAs. My question is...

will it work with no issues, if on one end ASA, the nonat & crypto ACLs are combined into object-group (to limit ASA configs) and on the other end the net address to net address nonat & crypto ACLs still exists (not consolidated into object group)..? If it works, does this work even if the tunnel is between ASA--> Router.

Thank you in advance

MS

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎12-01-2008 07:19 AM

MS, it will work if other side does not use the same consolidated acl scenario using object-groups. The acls and object-groups are locally significant to the device.

You can consolidate the acls on the ASA/PIX using TCP or UDP object-groups or network object groups and point your acl to the respective object-group they still have the same effect as when they were configured individually line by line.

does this work even if the tunnel is between ASA--> Router

Yes

HTH

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-01-2008 09:00 AM

MS

This should work fine. The object-group will simply be expanded when the 2 peers negotiate the local and remote networks. As long as the object-group entries match the other ends net entries it should all work.

Should be same for router as well.

Hope i've understood your question.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎12-01-2008 07:19 AM

MS, it will work if other side does not use the same consolidated acl scenario using object-groups. The acls and object-groups are locally significant to the device.

You can consolidate the acls on the ASA/PIX using TCP or UDP object-groups or network object groups and point your acl to the respective object-group they still have the same effect as when they were configured individually line by line.

does this work even if the tunnel is between ASA--> Router

Yes

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JORGE RODRIGUEZ

‎12-01-2008 09:03 AM

Hi Jorge

Sincere apologies as i could have sworn that nobody had answered this question but it looks like i missed your answer as the times the threads were posted are quite different.

Anyway, good thing we both agreed :-). Hope your'e well, found a new place in Bristol so will be moving at end of January next year.

Jon

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to Jon Marshall

‎12-01-2008 09:54 AM

My friend Jon, I never thought anything bad, the most logical thought I had was you must have seen the post empty..

You know I would never think wrong on you buddy..

Rgds

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-01-2008 09:00 AM

MS

This should work fine. The object-group will simply be expanded when the 2 peers negotiate the local and remote networks. As long as the object-group entries match the other ends net entries it should all work.

Should be same for router as well.

Hope i've understood your question.

Jon

0 Helpful
Customers Also Viewed These Support Documents