[c-nsp] site-to-site vpn NAT/PAT interesting traffic config question

Thu Dec 15 12:43:43 EST 2011

I am in the process of migrating tunnels off an ASAs running 8.2 code
at a customers former data center. The tunnels will be moving to an
another ASA running 8.4.2 code. The vendor side equipment ranges from
ASAs to Junipers and I don’t have access to them. The majority of the
tunnels require either NAT or PAT due to private addresses. Just as a
precaution before I migrate all the tunnels I thought I would get a
second set of eyes on two of the config files that require the
interesting traffic to have a NAT or PAT. The IP have been changed to
protect the innocent. So the pointy end of the stick is ... Are the
config correct?
Phase 1 has already been defined on the ASA and is working fine for
the simpler tunnels.

First is just a static NAT

name 5.6.7.8 VendorName

object-group network VendorName-R
 network-object host 192.168.1.10

object-group network VendorName-NAT-R
 network-object host 10.1.0.2

object-group network VendorName-L
 network-object host 10.1.1.3

access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R
nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R
destination static VendorName-R VendorName-R

crypto map vpnmap 10 match address VendorName-crypto
crypto map vpnmap 10 set peer VendorName
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
 ikev1 pre-shared-key cryptosecretkey

route outside 192.168.1.10 255.255.255.255 8.8.8.8 1

Second config

name 5.6.7.8 VendorName

object-group network VendorName-R-1
 network-object subnet 192.168.1.0 255.255.255.0

object-group network VendorName-R-2
 network-object subnet 192.168.2.0 255.255.255.0

object-group network VendorName-R-3
 network-object host 192.168.1.20

object-group network VendorName-R-4
 network-object host 192.168.1.21

object-group network VendorName-NAT-R-1
 network-object host 10.1.0.2

object-group network VendorName-NAT-R-2
 network-object host 10.1.0.3

object-group network VendorName-NAT-R-3
 network-object host 10.1.0.4

object-group network VendorName-NAT-R-4
 network-object host 10.1.0.5

object-group network VendorName-L
 network-object host 10.1.1.3
 network-object host 10.1.1.6

access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R-1
access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R-2
access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R-3
access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R-4
nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-1
destination static VendorName-R-1 VendorName-R-1
nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-2
destination static VendorName-R-2 VendorName-R-2
nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-3
destination static VendorName-R-3 VendorName-R-3
nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-4
destination static VendorName-R-4 VendorName-R-4

crypto map vpnmap 290 match address VendorName-crypto
crypto map vpnmap 290 set peer VendorName
crypto map vpnmap 290 set ikev1 transform-set ESP-AES-128-SHA
ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA
ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
 ikev1 pre-shared-key cryptosecretkey

route outside 192.168.1.0 255.255.255.0 8.8.8.8 1
route outside 192.168.1.0 255.255.255.0 8.8.8.8 1

The acl on the second config as I understand can be shortened by the
following, is it recommended however?

object-group network VendorName-R
 network-object object VendorName-R-1
 network-object object VendorName-R-2
 network-object object VendorName-R-3
 network-object object VendorName-R-4

access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R

I apologize if this is the wrong list and appreciate everyone's time
for take a look and responding.