crypto access-list with multiple entries

Answered Question
Apr 7th, 2010

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 04/07/2010 - 03:10

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

albert_coll Wed, 04/07/2010 - 22:52

Thank you Jon.

By using object-groups (which contains multiple subnets) i could fit all my local subnets in a unique ACL entry, thereby i can configure the ACL under ASDM.

Albert.

Actions

This Discussion