Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
0
Helpful
1
Replies

Static VPN and ACL object-group

Phil Williamson
Level 1
Level 1

‎08-14-2007 05:35 AM

Can the 'selector' ACL for a tunnel be created using object-groups? I want to permit only certain hosts and TCP ports thru the IP tunnel.

I'm fairly sure this is NOT true for the NAT-0 or NoNAT ACL though.

Can anyone clarify?

Thanks

Phil

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎08-14-2007 05:41 AM

Hi Phil

I can't see any reason why you cannot use object-groups as the crypto access-list is just a normal access-list.

It is not recommended however to use TCP port numbers in the crypto access-list as there is a performance hit with this.

You have a number of options

1) You could use TCP port numbers and just keep an eye on the CPU utilisation

2) You could make sure you have "sysopt connection permit-ipsec/permit-vpn turned off, permit IP in your crypto access-list and then filter more specifically using an access-list on your outside interface

3) If your device is running v7.x of the code you could use an outbound access-list on the inside interface.

You are correct when you say that using port numbers is not supported for nat exemption.

HTH

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents