https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3194766#M1065742 <P>Hi,</P> <P>Yes, you can classify branch office rules and global edge rules on the ASA5555.</P> <P>&nbsp;</P> <P>The branch office rules will pertain to internet access and the ASA5555 ACL could be for the IPSec traffic originating from the branches.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Kias</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 06 Oct 2017 05:17:14 GMT Kias 2017-10-06T05:17:14Z https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3193460#M1065740 <P>Hey</P><P>&nbsp;</P><P>I have a large network with a ASA5555-X in middle and about 30-40 ASA's in branch offices.</P><P>&nbsp;</P><P>Maintaing ACL lists on the branch office firewalls are a lot of work. Is it possible in any way to IPsec the wanted subnets and use the the main ACL list on one of the ASA5555X interfaces instead.&nbsp;</P><P>&nbsp;</P><P>F.eks.&nbsp;</P><P>&nbsp;</P><P>client --&gt; IP --&gt; ASA BRANCH--&gt; IPSEC &lt;--- ASA5555X ---&gt; ACL ---&gt; Servers</P><P>&nbsp;</P><P>Thanx</P><P>&nbsp;</P> Fri, 21 Feb 2020 14:25:51 GMT https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3193460#M1065740 Jon Are Endrerud 2020-02-21T14:25:51Z https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3193466#M1065741 <P>Hi there,</P><P>Of course you could do that, but it would be wasteful of bandwidth to send traffic accross the WAN only to be dropped at the main office. It is best practice to drop traffic as close to source as possible.</P><P>&nbsp;</P><P>cheers,</P><P>Seb.</P> Wed, 04 Oct 2017 08:56:44 GMT https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3193466#M1065741 Seb Rupik 2017-10-04T08:56:44Z https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3194766#M1065742 <P>Hi,</P> <P>Yes, you can classify branch office rules and global edge rules on the ASA5555.</P> <P>&nbsp;</P> <P>The branch office rules will pertain to internet access and the ASA5555 ACL could be for the IPSec traffic originating from the branches.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Kias</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 06 Oct 2017 05:17:14 GMT https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3194766#M1065742 Kias 2017-10-06T05:17:14Z https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3199269#M1065743 <P>This sounds like a good idea. How do I make the IPsec traffic hit the global edge rules on the 5555X ?</P> <P>&nbsp;</P> <P>For example I have:</P> <P>&nbsp;</P> <P>branch subnett ---&gt; 10.16.100.0/22</P> <P>branch subnett ---&gt; 172.16.124.0/24</P> <P>branch subnett ---&gt; 10.16.120.0/24</P> <P>&nbsp;</P> <P>When they have a direct connection, I dont see how I can get everyhing to use one ACL list on the remote 5555X.</P> <P>&nbsp;</P> <P>Thanx</P> Mon, 16 Oct 2017 11:04:21 GMT https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3199269#M1065743 Jon Are Endrerud 2017-10-16T11:04:21Z https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3199280#M1065744 <P>Hi,</P> <P>&nbsp;</P> <P>I assume the following:</P> <P>HQ --&gt; 1.1.1.1/16</P> <P>branch 1 subnett ---&gt; 10.16.100.0/22</P> <P>branch 2 subnett ---&gt; 172.16.124.0/24</P> <P>branch 3 subnett ---&gt; 10.16.120.0/24</P> <P>&nbsp;</P> <P>3 Site to site VPNs from HQ to branches will be established. In this scenario, traffic from branch 3 to branch 1 will be routed through HQ as the hop. At HQ the ACL is defined to control the branch 3 -&gt; 1 via ACL. Also&nbsp; NoNat and hair pining are required for the VPN's which I beleive is one time config.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Kias</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 16 Oct 2017 11:12:29 GMT https://community.cisco.com/t5/network-security/simplify-acl-lists-and-ipsec/m-p/3199280#M1065744 Kias 2017-10-16T11:12:29Z