We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between. I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.
What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.
I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key. Any suggestions? Thanks for any help!
Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.
Then, use the ASDM to backup the DAP and bookmarks only.
We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order. We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users. You may want to think about syncing customizations and such as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...