04-20-2014 02:14 PM
I have this existing config (which works) on ASA5510 v8.2(5)
Need to port this over to ASA5515 running v8.6(1)
ASA5510 inside net: 192.168.1.0/24
Network on remote VPN peer: 172.16.21.192/28
!
access-list InsideGlobal-2-OutsideNetwork extended permit ip host 10.0.200.211 172.16.21.192 255.255.255.240
access-list InsideGlobal-2-OutsideNetwork extended permit ip host 10.0.202.39 172.16.21.192 255.255.255.240
!
access-list InsideLocal.1-2-OutsideNetwork extended permit ip host 192.168.1.1 172.16.21.192 255.255.255.240
access-list InsideLocal.191-2-OutsideNetwork extended permit ip host 192.168.1.191 172.16.21.192 255.255.255.240
!
static (inside,outside) 10.0.200.211 access-list InsideLocal.1-2-OutsideNetwork
static (inside,outside) 10.0.202.39 access-list InsideLocal.191-2-OutsideNetwork
!
crypto map outside_map 1 match address InsideGlobal-2-OutsideNetwork
!
I believe what I need is this:
!
object network OBJ_172.16.21.192_28
subnet 172.16.21.192 255.255.255.240
!
object network OBJ_10.0.200.211_32
host 10.0.200.211
!
object network OBJ_10.0.202.39_32
host 10.0.202.39
!
object network OBJ_192.168.1.1_32
host 192.168.1.1
!
object network OBJ_192.168.1.191_32
host 192.168.1.191
!
access-list InsideGlobal-2-OutsideNetwork extended permit ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28
access-list InsideGlobal-2-OutsideNetwork extended permit ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28
!
nat (inside,outside) source static OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 destination static OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 no-proxy-arp route-lookup
nat (inside,outside) source static OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 destination static OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 no-proxy-arp route-lookup
!
crypto map outside_map 1 match address InsideGlobal-2-OutsideNetwork
Thx - Phil
Solved! Go to Solution.
04-20-2014 08:20 PM
Hi Phil,
The converted configuration in 8.6.x from 8.2.x is correct. Go ahead with it.
Vishnu
04-21-2014 05:25 AM
Vishnu,
This may be the answer to my question. The 8.4 to 8.7 cmd ref states in part:
"Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it."
So if I had the need to change the IP address of object network OBJ_10.172.0.50_32 I could change the host IP and the rename object network OBJ_10.172.0.50_32 to better reflect the host IP. I'm trying to write the code so it is most readable and hopefully better to understand.
Maybe I understand some more now than I did.
Phil
04-20-2014 08:20 PM
Hi Phil,
The converted configuration in 8.6.x from 8.2.x is correct. Go ahead with it.
Vishnu
04-21-2014 03:31 AM
Vishnu,
Thanks for the reply. I'm starting to get a better handle on the 8.2 versus 8.4 and later NAT. I may have more posts in a bit if you could consider.
Phil
04-21-2014 03:35 AM
No Problem!! Feel free to ask where you have slightest doubt at all.
We at Cisco feel good when we see our posts improving someones knowledge about the product and configuration.
Vishnu
04-21-2014 05:08 AM
Vishnu,
On my 8.2(5) config I have 'object-group network' cmds.
Example:
object-group network DBaseSrvrs
network-object host 10.172.0.50
network-object host 10.172.0.51
If these object-group are only used in ACLs should I configure them on 8.6(1) as:
object network OBJ_10.172.0.50_32
host 10.172.0.50
object network OBJ_10.172.0.51_32
host 10.172.0.51
object-group network DBaseSrvrs
network-object object OBJ_10.172.0.50_32
network-object object OBJ_10.172.0.51_32
Or should I just leave as they are on the 8.2(5) code:
object-group network DBaseSrvrs
network-object host 10.172.0.50
network-object host 10.172.0.51
Where would I preferably use one versus the other?
Thx - Phil
04-21-2014 05:25 AM
Vishnu,
This may be the answer to my question. The 8.4 to 8.7 cmd ref states in part:
"Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it."
So if I had the need to change the IP address of object network OBJ_10.172.0.50_32 I could change the host IP and the rename object network OBJ_10.172.0.50_32 to better reflect the host IP. I'm trying to write the code so it is most readable and hopefully better to understand.
Maybe I understand some more now than I did.
Phil
04-21-2014 06:01 AM
You are correct!! One more thing that I would like to add here is that in 8.3 and above, object or object group are mandatory to define the source and destination which was not required earlier in 8.2 and earlier versions. For reference. you can see the configuration you pasted initially where you compared 8.2 and 8.6 versions.
Vishnu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: