I'm trying to figure out the best way to consolidate the long ACL I created, so that my 3560G won't have to spend alot of time processing it. It's purpose is to limit the access for certain users after they use VPN to connect to work. The picture below shows entiries in the ACL, I used Network Assistent to do this.The ACL is attached to the inbound interface (C3560G) for the outbound connection from VPN server, I hope that makes sense.
Ok, if your RRAS doesn't suppport access-control, then you have to use your switch for that. As I said, you won't get any performance improvements in optimization. My advice would be to group your ACL in a way that is as much readable as possible. With that it's not that likely to make configuration-mistakes as it is the case with optimized ACLs on routers where an often heard advice is, that the entries that match often have to be moved to the top.
An optimization that is possible and quite useful is match your users to ip subnets on the RRAS based on function. If for example all restricted users get an IP in the 192.168.8.128/28 range (which is 192.168.8.128 to 192.168.8.143) then you only need one line each for your permits and denys on the switch. And you don't have to touch the switch when a new user is assigned the restricted role. In the same way you configure a range for unrestricted users.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...