cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
6
Replies

Port VPN policy-nat from ASA5510 8.2(5) to ASA5515 8.6(1)

pwmsonpbs
Level 1
Level 1

I have this existing config (which works) on ASA5510 v8.2(5)
Need to port this over to ASA5515 running v8.6(1)
ASA5510 inside net: 192.168.1.0/24
Network on remote VPN peer: 172.16.21.192/28
!
access-list InsideGlobal-2-OutsideNetwork extended permit ip host 10.0.200.211 172.16.21.192 255.255.255.240
access-list InsideGlobal-2-OutsideNetwork extended permit ip host 10.0.202.39 172.16.21.192 255.255.255.240
!
access-list InsideLocal.1-2-OutsideNetwork extended permit ip host 192.168.1.1 172.16.21.192 255.255.255.240
access-list InsideLocal.191-2-OutsideNetwork extended permit ip host 192.168.1.191 172.16.21.192 255.255.255.240
!
static (inside,outside) 10.0.200.211  access-list InsideLocal.1-2-OutsideNetwork
static (inside,outside) 10.0.202.39  access-list InsideLocal.191-2-OutsideNetwork
!
crypto map outside_map 1 match address InsideGlobal-2-OutsideNetwork
!

I believe what I need is this:
!
object network OBJ_172.16.21.192_28
 subnet 172.16.21.192 255.255.255.240
!
object network OBJ_10.0.200.211_32
 host 10.0.200.211
!
object network OBJ_10.0.202.39_32
 host 10.0.202.39
!
object network OBJ_192.168.1.1_32
 host 192.168.1.1
!
object network OBJ_192.168.1.191_32
 host 192.168.1.191
!
access-list InsideGlobal-2-OutsideNetwork extended permit ip object OBJ_10.0.200.211_32 object OBJ_172.16.21.192_28
access-list InsideGlobal-2-OutsideNetwork extended permit ip object OBJ_10.0.202.39_32 object OBJ_172.16.21.192_28
!
nat (inside,outside) source static OBJ_192.168.1.1_32 OBJ_10.0.200.211_32 destination static OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 no-proxy-arp route-lookup
nat (inside,outside) source static OBJ_192.168.1.191_32 OBJ_10.0.200.39_32 destination static OBJ_172.16.21.192_28 OBJ_172.16.21.192_28 no-proxy-arp route-lookup
!
crypto map outside_map 1 match address InsideGlobal-2-OutsideNetwork

Thx - Phil

2 Accepted Solutions

Accepted Solutions

Vishnu Sharma
Level 1
Level 1

Hi Phil,

 

The converted configuration in 8.6.x from 8.2.x is correct. Go ahead with it.

 

Vishnu

View solution in original post

Vishnu,

This may be the answer to my question.  The 8.4 to 8.7 cmd ref states in part:

"Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it."

So if I had the need to change the IP address of object network OBJ_10.172.0.50_32 I could change the host IP and the rename object network OBJ_10.172.0.50_32 to better reflect the host IP.  I'm trying to write the code so it is most readable and hopefully better to understand.

Maybe I understand some more now than I did.

Phil

View solution in original post

6 Replies 6

Vishnu Sharma
Level 1
Level 1

Hi Phil,

 

The converted configuration in 8.6.x from 8.2.x is correct. Go ahead with it.

 

Vishnu

Vishnu,

Thanks for the reply. I'm starting to get a better handle on the 8.2 versus 8.4 and later NAT.  I may have more posts in a bit if you could consider.

Phil

No Problem!! Feel free to ask where you have slightest doubt at all.

We at Cisco feel good when we see our posts improving someones knowledge about the product and configuration. 

 

Vishnu

 

Vishnu,

On my 8.2(5) config I have 'object-group network' cmds.
Example:
object-group network DBaseSrvrs
 network-object host 10.172.0.50
 network-object host 10.172.0.51

If these object-group are only used in ACLs should I configure them on 8.6(1) as:
object network OBJ_10.172.0.50_32
 host 10.172.0.50
object network OBJ_10.172.0.51_32
 host 10.172.0.51
object-group network DBaseSrvrs
 network-object object OBJ_10.172.0.50_32
 network-object object OBJ_10.172.0.51_32

Or should I just leave as they are on the 8.2(5) code:
object-group network DBaseSrvrs
 network-object host 10.172.0.50
 network-object host 10.172.0.51

Where would I preferably use one versus the other?

Thx - Phil

Vishnu,

This may be the answer to my question.  The 8.4 to 8.7 cmd ref states in part:

"Objects make it easy to maintain your configurations because you can modify an object in one place and have it be reflected in all other places that are referencing it."

So if I had the need to change the IP address of object network OBJ_10.172.0.50_32 I could change the host IP and the rename object network OBJ_10.172.0.50_32 to better reflect the host IP.  I'm trying to write the code so it is most readable and hopefully better to understand.

Maybe I understand some more now than I did.

Phil

You are correct!! One more thing that I would like to add here is that in 8.3 and above, object or object group are mandatory to define the source and destination which was not required earlier in 8.2 and earlier versions. For reference. you can see the configuration you pasted initially where you compared 8.2 and 8.6 versions.

 

Vishnu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: