Static VPN and ACL object-group

Unanswered Question
Aug 14th, 2007

Can the 'selector' ACL for a tunnel be created using object-groups? I want to permit only certain hosts and TCP ports thru the IP tunnel.

I'm fairly sure this is NOT true for the NAT-0 or NoNAT ACL though.

Can anyone clarify?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 08/14/2007 - 05:41

Hi Phil

I can't see any reason why you cannot use object-groups as the crypto access-list is just a normal access-list.

It is not recommended however to use TCP port numbers in the crypto access-list as there is a performance hit with this.

You have a number of options

1) You could use TCP port numbers and just keep an eye on the CPU utilisation

2) You could make sure you have "sysopt connection permit-ipsec/permit-vpn turned off, permit IP in your crypto access-list and then filter more specifically using an access-list on your outside interface

3) If your device is running v7.x of the code you could use an outbound access-list on the inside interface.

You are correct when you say that using port numbers is not supported for nat exemption.




This Discussion