topic how to create a ACL to allow multiple IP addresses to access to in Network Security

how to create a ACL to allow multiple IP addresses to access to one PC?

LionKin1984 — Tue, 12 Mar 2019 03:20:44 GMT

Hello everyone

we have a small network consists of 50+ clients and 1 server, and there is a ASA 5512-x between the server and clients, all those 50+ clients are required to have access to the server, so instead of creating 50+ ACLs is there a easier way to do this? (global ACL is not an option here)

Cheers

Re: how to create a ACL to allow multiple IP addresses to access

Karsten Iwen — Fri, 20 Dec 2013 12:15:01 GMT

Configure an object-group with the 50 IPs and use that object-group as the source in your ACL.

object-group network CLIENTS

network-object host 10.10.10.1

network-object host 10.10.10.3

network-object host 10.10.10.9

network-object host 10.10.10.15

access-list ACL extended permit ip object-group CLIENTS host SERVER-IP

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: how to create a ACL to allow multiple IP addresses to access

LionKin1984 — Fri, 20 Dec 2013 13:40:58 GMT

thanks for your reply Karsten, problme is the 50 clients are splitted into 4 different subnet...

how to create a ACL to allow multiple IP addresses to access to

Collin Clark — Fri, 20 Dec 2013 13:54:28 GMT

Set the security level for both interfaces the same and enable same-security-interface

how to create a ACL to allow multiple IP addresses to access to

jss.cisco — Fri, 20 Dec 2013 15:22:35 GMT

Karsten is correct. As long as your 4 different subnets are ingressing on the same interface, then create your object group using the IP's that you need.

As Colin mentioned, you can use 'same-security-traffic permit inter-interface', but in my opinion, that defeats the purpose of using a firewall to begin with. (Of course there are scenarios where you may need this).

how to create a ACL to allow multiple IP addresses to access to

Collin Clark — Fri, 20 Dec 2013 15:25:40 GMT

Can you explain why you think it defeats the purpose?

how to create a ACL to allow multiple IP addresses to access to

LionKin1984 — Fri, 20 Dec 2013 15:28:19 GMT

security level is made redundant once ACL is in place is it?

Re: how to create a ACL to allow multiple IP addresses to access

Collin Clark — Fri, 20 Dec 2013 15:32:09 GMT

Adding an ACL to an interface does not change the security level. Security levels are conifgured and they do not change unless you explicity change them.