different firmware for site-to-site vpn

syazowen86 · ‎03-19-2013

can ASA ver8 perform site-to-site with ASA ver7?

any changes that i should know connecting this 2 asa?

Karsten Iwen · ‎03-19-2013

That won't be a problem. You can build site-to-site VPNs between different ASA-versions and typically even between different vendors.

For your VPN between v7 and v8 the syntax has changed a little bit and some defaults changed. For example on the older code the clear-text-traffic had to be allowed in the interface ACL what changed in newer releases.

I would suggest to build your VPN and ask again if there are some problems with that.

Sent from Cisco Technical Support iPad App

syazowen86 · ‎03-20-2013

thats what i had in mind, but i couldnt find anything about that on cisco website..

Karsten Iwen · ‎03-20-2013

there are lots of examples for the different version on the cisco-site:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

syazowen86 · ‎03-22-2013

hi karsten.iwen,

how do i change this static route command to version 8 static route?

is it thru this command?

object network obj_any

nat (inside,outside) dynamic interface

from ver 7

global (outside) 10 interface

global (outside) 20 10.10.10.75

global (dmz) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 20 192.168.1.0 255.255.255.0

static (dmz,outside) tcp 10.10.10.75 www 192.168.1.1 www netmask 255.255.255.255

static (dmz,outside) tcp 10.10.10.75 https 192.168.1.1 https netmask 255.255.255.255

Karsten Iwen · ‎03-22-2013

object network obj_any
  nat (inside,outside) dynamic interface

thats dynamic NAT, what was the nat/global command in the older release.

static (dmz,outside) tcp 10.10.10.75 www 192.168.1.1 www netmask 255.255.255.255
static (dmz,outside) tcp 10.10.10.75 https 192.168.1.1 https netmask 255.255.255.255

these two statics are configured the following way in ASA 8.3+:

object network Server-192.168.1.1-www

host 192.168.1.1

nat (dmz,outside) static 10.10.10.75 service tcp www www

!

object network Server-192.168.1.1-https

host 192.168.1.1

nat (dmz,outside) static 10.10.10.75 service tcp https https

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

syazowen86 · ‎03-22-2013

thanks for ur reply,

i also cant convert this command in ver8

global (outside) 10 interface

global (outside) 20 10.10.10.75

global (dmz) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 20 192.168.1.0 255.255.255.0

syazowen86 · ‎03-22-2013

is there any different with this? on static route?

nat (dmz,outside) source static 192.168.1.1 192.168.1.1 destination static 10.10.10.75 10.10.10.75 service www www

vs

object network Server-192.168.1.1-www

host 192.168.1.1

nat (dmz,outside) static 10.10.10.75 service tcp www www