Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

crypto access-list with multiple entries

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: crypto access-list with multiple entries

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

2 REPLIES
Hall of Fame Super Blue

Re: crypto access-list with multiple entries

albert_coll wrote:

Hello,

I need to establish a L2L tunnel from a remote site to an ASA5540.

The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".

All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.

Can i define an ACL including several lines, one for every local subnet ?

Example:

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16

You can specify as many lines as you want in a crypto map access-list. If ASDM, which i don't use, is not letting you then you can definitely do it from the CLI.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

New Member

Re: crypto access-list with multiple entries

Thank you Jon.

By using object-groups (which contains multiple subnets) i could fit all my local subnets in a unique ACL entry, thereby i can configure the ACL under ASDM.

Albert.

255
Views
0
Helpful
2
Replies