SplitTunnel ACLs

Answered Question
Sep 9th, 2010
User Badges:

I have a 3rd party that manages a number of servers for a client.  Only the static IP on the outside interface of the client's ASA-5510 is allowed to access the servers.  They use Split Tunneling on their ASA-5510, so VPN traffic bound for those servers must go through the tunnel.  That is simple.  The information below shows the ACLs that are in place and working.  However, I would like to create an object-group for those IP addresses.  I tried the object-group code below, but it didn't work.



ACLs that are working:

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP1
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP2

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP3
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP4

What I would prefer to use is:

access-list VPN_Users_splitTunnelAcl extended permit ip any object-group MY_OBJECT_GROUP



What am I doing wrong here?  I ran out of testing time this evening and thought I would go ahead and post this here.



Thanks in advance!

Correct Answer by Antonio Knox about 6 years 6 months ago

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.


Please rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tim-Saunders Fri, 09/10/2010 - 06:25
User Badges:

Pevaneyn,

Is there any way to create a Standard ACL that uses an object-group?  I couldn't find one.

Antonio Knox Fri, 09/10/2010 - 05:40
User Badges:
  • Silver, 250 points or more

Have you applied this filter ACL properly?  The config that you have here should work as far as the ACL, but it's useless if not applied to the group ploicy as follows:


group-policy My-VPN-Group-Policy attributes
vpn-filter value VPN_Users_splitTunnelAcl


Try this and let me know how it works for you.....


Please rate if it helps.

Tim-Saunders Fri, 09/10/2010 - 06:27
User Badges:

antonioknox,

Yes.  I have those lines in my config.  I can get the Standard ACLs to work.  I just want to use an object-group and couldn't find a way to do that without using an Extended ACL.

Correct Answer
Antonio Knox Fri, 09/10/2010 - 06:59
User Badges:
  • Silver, 250 points or more

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.


Please rate if it helps.

Actions

This Discussion