Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1759
Views
15
Helpful
6
Replies

Add new host as source to existing IPSEC profile on ASA?

CiscoPurpleBelt
Level 6
Level 6

‎07-23-2019 09:38 AM - edited ‎02-21-2020 09:19 AM

Can you simply add a new host or create a new object-group and add all the source hosts in the IPSEC profile on ASA without breaking anything assuming remote end has allowed the new host?

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎07-23-2019 09:50 AM

Hi,
Yes, you can add the new network/host to the ACL or to the object group that is referenced in the ACL in use by the crypto map. Nothing should break, as long as both ends of the VPN tunnel have been configured with the same host/network with the correct mask.

If it works correctly a new IPSec SA should be created between the to/from the new host/network.

HTH

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-23-2019 11:29 AM

Ok so I created a new object-group, added the existing local interesting traffic hosts in addition to the new host IP to this group, and replaced the individual hosts with this group as source local address.
There were NAT configs for the current individual hosts and I replaced them with the group as well.
I updated the ACL for the interesting traffic with the object-group as well, replacing the individual hosts.
VPN still did not establish. I am not sure if it is the remote side configs or why it was not establishing. Any ideas?
0 Helpful

Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-23-2019 11:47 AM

You should confirm exactly what the 3rd party configured on the remote VPN. What make is the other firewall?
If you enable some debugs and provide the output, it will provide a clue.

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-23-2019 02:23 PM - edited ‎07-23-2019 02:42 PM

In reference to this IPSEC VPN, I have the following, the DM objects are being natted to itself correct? I can replace the DM objects with a object-group containing both those objects correct? Why does X.X.X.30_new appear twice?
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static X.X.X.30_object X.X.X.30_object

0 Helpful

Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-23-2019 02:52 PM

This is an example of twice nat, this allows you to translate the source and destination. In regard to IPSec VPN and NAT exemption, you are essentially telling the ASA to translate the source and destination to itself, in other words don't nat.

If you don't configure this NAT exemption rule (translating itself to itself) then normally the outbound traffic would hit the dynamic nat rule and be natted behind the outside interface.

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎08-07-2019 05:44 AM

I don't see any other dynamic NAT rules and/or NAT rules that would apply to this traffic as no private IPs are being used.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card