cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
6
Replies

SplitTunnel ACLs

Tim-Saunders
Level 1
Level 1

I have a 3rd party that manages a number of servers for a client.  Only the static IP on the outside interface of the client's ASA-5510 is allowed to access the servers.  They use Split Tunneling on their ASA-5510, so VPN traffic bound for those servers must go through the tunnel.  That is simple.  The information below shows the ACLs that are in place and working.  However, I would like to create an object-group for those IP addresses.  I tried the object-group code below, but it didn't work.

ACLs that are working:

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP1
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP2

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP3
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP4

What I would prefer to use is:

access-list VPN_Users_splitTunnelAcl extended permit ip any object-group MY_OBJECT_GROUP

What am I doing wrong here?  I ran out of testing time this evening and thought I would go ahead and post this here.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.

Please rate if it helps.

View solution in original post

6 Replies 6

pevaneyn
Cisco Employee
Cisco Employee

Pevaneyn,

Is there any way to create a Standard ACL that uses an object-group?  I couldn't find one.

Hi again,

I fear not. You cannot use object-groups in standard access lists.

You can see this in the command reference entry for standard access lists.

Sorry, Peter

Antonio Knox
Level 7
Level 7

Have you applied this filter ACL properly?  The config that you have here should work as far as the ACL, but it's useless if not applied to the group ploicy as follows:

group-policy My-VPN-Group-Policy attributes
vpn-filter value VPN_Users_splitTunnelAcl

Try this and let me know how it works for you.....

Please rate if it helps.

antonioknox,

Yes.  I have those lines in my config.  I can get the Standard ACLs to work.  I just want to use an object-group and couldn't find a way to do that without using an Extended ACL.

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.

Please rate if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: