Solved: crypto access-list with multiple entries

albert_coll · ‎04-07-2010

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

Jon Marshall · ‎04-07-2010

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

Jon Marshall · ‎04-07-2010

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line. Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

albert_coll · ‎04-07-2010

Thank you Jon.

By using object-groups (which contains multiple subnets) i could fit all my local subnets in a unique ACL entry, thereby i can configure the ACL under ASDM.

Albert.