Group Access List for ipsec tunnel!!

duahimanshu816 · ‎07-11-2018

Hello Experts,

I have cisco 1941 on site A and Cisco asa 5500 on the Site B. I have created IPSec tunnel within.

I want to Allow few host & ports from Site A to SIte B and vice versa.

On Site A we have 5 IPs :-

1. 10.10.10.1

2.10.10.10.2

3.10.10.10.169

4.10.10.10.175

On Site B we have 3 IPs:-

1. 172.16.16.10

2. 172.16.16.50

3. 172.16.16.174

And, only few ports needs to be allowed through the tunnel.

Ports:-80,8081

Ports:-6000-6002

Ports:-5500-5560

Now the question is:- is there any way to create group of these mentioned IPs and ports instead of creating long list and assigned into the access list?

#Mat · ‎07-13-2018

Hi duahimanshu816, I don't know what version of FW do you have but, if you are asking about ASA, you can use object-group service for ports and object-group network for IP.

for example:

object-group network remote-lan

network-object host 10.10.10.1

network-object host 10.10.10.2

network-object host 10.10.10.169

network-object host 10.10.10.175

exit

object-group network local-lan

network-object host 172.16.16.10

network-object host 172.16.16.50

network-object host 172.16.16.174

exit

object-group service VPN-ports

service-object tcp destination eq 80

service-object tcp destination eq 8081

service-object tcp destination range 6000 6002

service-object tcp destination range 5500 5560

exit

then you can use remote-lan, local-lan and VPN-ports in your ACL.

access-list ACL-IN extended permit object-group VPN-ports object-group local-lan object-group remote-lan

access-list ACL_IN extended deny ip any any

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_objects.html#pg…

Regards.-

.

duahimanshu816 · ‎07-16-2018

Thank Matias for you reply, please I have done ASA the same way you said above,

what about the Router side Cisco 1941? Because i have read that cisco says dont use object group for Ipsec tunnel?

it will create some issues.