04-07-2010 02:26 AM
Hello,
I need to establish a L2L tunnel from a remote site to an ASA5540.
The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".
All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.
Can i define an ACL including several lines, one for every local subnet ?
Example:
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0
The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16
Solved! Go to Solution.
04-07-2010 03:10 AM
albert_coll wrote:
Hello,
I need to establish a L2L tunnel from a remote site to an ASA5540.
The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".
All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.
Can i define an ACL including several lines, one for every local subnet ?
Example:
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0
The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16
You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-07-2010 03:10 AM
albert_coll wrote:
Hello,
I need to establish a L2L tunnel from a remote site to an ASA5540.
The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".
All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.
Can i define an ACL including several lines, one for every local subnet ?
Example:
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0
The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16
You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-07-2010 10:52 PM
Thank you Jon.
By using object-groups (which contains multiple subnets) i could fit all my local subnets in a unique ACL entry, thereby i can configure the ACL under ASDM.
Albert.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: