Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with more than one filter / nested ACL

Dear All,

Is there a way to assign more than one ACL to a VPN profile or implement a nested ACL structure?

I am trying to avoid modifing a large list of ACLs to insert the same ACE in each ACL bound to different VPN profiles.

Everyone's tags (3)
Super Bronze

VPN with more than one filter / nested ACL


If we are talking about ASAs and VPN Filter ACLs then have you considered the option where you change the global setting

NOTE: The below setting should not be changed unless you know its effects in your environment

sysopt connection permit-vpn


no sysopt connection permit-vpn

So that you can handle all access control on your external interfaces interface ACL rather than with separate VPN Filter ACLs?

Naturally in an existing environment this might be a bit tricky to implement as BEFORE changing the above setting you would have to make sure that all the traffic required (or everything) from the VPN connections is allowed in the interface ACL.

Implementing this would eventually let you modify a single ACL (the external interface ACL) for all the rules that should apply to connections initiated from behind VPN Connections.

- Jouni

New Member

VPN with more than one filter / nested ACL

This would not fall in line with our requirements since the filters are all business specific and hence have separate access rules which would be a bit complex to regulate with a interface ACL.

My research with regards to nested ACLs has not proved fruitful hence I believe this option does not exist as yet.

Super Bronze

VPN with more than one filter / nested ACL


I know only the few basics ways to control the VPN users traffic they basically are

  • Changing the global "sysopt" setting and controlling all user traffic on the external interface ACL
  • Use separate VPN Filter ACLs
  • If using subinterfaces for local interfaces then tie the VPN connection to a specific Vlan which would allow connectivity only towards that Vlan subinterface for those VPN users.

In some cases we might use a separate device to do the access control.

But I guess if the requirement is to have a specific ACL for each VPN user group then the original suggestion is not an option for you.

I was just thinking that using the same ACL would make it easier to generate the new configuration addiotion. Atleast in the sense that the ACL name for each rule would be the same. If you didnt make too broad ACL rules it would not really allow any connectivity between the different networks involved though that would also depend on the NAT configurations, not just the ACL.

- Jouni

CreatePlease login to create content