cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


476
Views
15
Helpful
6
Replies
Contributor

Add new host as source to existing IPSEC profile on ASA?

Can you simply add a new host or create a new object-group and add all the source hosts in the IPSEC profile on ASA without breaking anything assuming remote end has allowed the new host?

6 REPLIES 6
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Add new host as source to existing IPSEC profile on ASA?

Hi,
Yes, you can add the new network/host to the ACL or to the object group that is referenced in the ACL in use by the crypto map. Nothing should break, as long as both ends of the VPN tunnel have been configured with the same host/network with the correct mask.

If it works correctly a new IPSec SA should be created between the to/from the new host/network.

HTH
Contributor

Re: Add new host as source to existing IPSEC profile on ASA?

Ok so I created a new object-group, added the existing local interesting traffic hosts in addition to the new host IP to this group, and replaced the individual hosts with this group as source local address.
There were NAT configs for the current individual hosts and I replaced them with the group as well.
I updated the ACL for the interesting traffic with the object-group as well, replacing the individual hosts.
VPN still did not establish. I am not sure if it is the remote side configs or why it was not establishing. Any ideas?
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Add new host as source to existing IPSEC profile on ASA?

You should confirm exactly what the 3rd party configured on the remote VPN. What make is the other firewall?
If you enable some debugs and provide the output, it will provide a clue.
Contributor

Re: Add new host as source to existing IPSEC profile on ASA?

In reference to this IPSEC VPN, I have the following, the DM objects are being natted to itself correct? I can replace the DM objects with a object-group containing both those objects correct? Why does X.X.X.30_new appear twice?
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static X.X.X.30_object X.X.X.30_object

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Add new host as source to existing IPSEC profile on ASA?

This is an example of twice nat, this allows you to translate the source and destination. In regard to IPSec VPN and NAT exemption, you are essentially telling the ASA to translate the source and destination to itself, in other words don't nat.

If you don't configure this NAT exemption rule (translating itself to itself) then normally the outbound traffic would hit the dynamic nat rule and be natted behind the outside interface.

Highlighted
Contributor

Re: Add new host as source to existing IPSEC profile on ASA?

I don't see any other dynamic NAT rules and/or NAT rules that would apply to this traffic as no private IPs are being used.