Like can you please give an example?

Because this is what I am looking allow only specific ports on 10.0 network allow all on 20.0 network towards outer world.

Awesome! it worked.

I have a question regarding VPN, my IPSec site-to-site keep disconnecting if it's idle. I tried to put lifetime 0 and lifetime 84600 but it disconnects after a while.

And then I have to re-initiate the traffic from both ends and it connects back.

Also below is the logs what are these logs?

17:14:57 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!

 

Sep 06 17:32:37 [IKEv1]Group = 1.1.1,1, IP = 1.1.1.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

 

FW-COLUMBUS-01# show running-config | inc nat

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE

nat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTE no-proxy-arp route-lookup

nat (inside,outside) after-auto source dynamic any interface

 

 

I guess I'm stuck on ACL.

Internet -> ASA -> SWITCH -> USERS
ASA 172.16.1.254
SWITCH 172.16.1.250

ASA#
C 1.1.1.0 255.255.248.0 is directly connected, outside
S 172.16.10.0 255.255.255.0 [1/0] via 172.16.1.250, inside
S 172.16.6.0 255.255.255.0 [1/0] via 172.16.1.250, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
S 172.16.2.0 255.255.255.0 [1/0] via 172.16.1.250, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside

SWITCH#
Gateway of last resort is 172.16.1.254 to network 0.0.0.0

172.16.0.0/24 is subnetted, 5 subnets
C 172.16.50.0 is directly connected, Vlan50
C 172.16.10.0 is directly connected, Vlan10
C 172.16.6.0 is directly connected, Vlan6
C 172.16.1.0 is directly connected, Vlan100
C 172.16.2.0 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 172.16.1.254

If I apply any ACL on ASA it dosn't work and any ACL I apply on the switch work :S

Hi

Your first log means that something went wrong with crypto exchange.
The second is that you have public IP directly on asa and the vpn isn't built behind a nat device.
Did you set the vpn-idle-timeout under your group-policy?

What are you trying to do with acl? Which acl are you configuring on asa and show some output to see what's broken

Thanks

.

** The second is that you have public IP directly on asa and the vpn isn't built behind a nat device. **
Also these are my nat rules
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE
nat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTE no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

*** Did you set the vpn-idle-timeout under your group-policy? ***
There is lifetime option not vpn-idletimeout

**** What are you trying to do with acl? Which acl are you configuring on asa and show some output to see what's broken ****
Internet -> ASA -> SWITCH -> USERS
ASA 172.16.1.254
SWITCH 172.16.1.250

ASA#
C 1.1.1.0 255.255.248.0 is directly connected, outside
S 172.16.10.0 255.255.255.0 [1/0] via 172.16.1.250, inside
S 172.16.6.0 255.255.255.0 [1/0] via 172.16.1.250, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
S 172.16.2.0 255.255.255.0 [1/0] via 172.16.1.250, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside

SWITCH#
Gateway of last resort is 172.16.1.254 to network 0.0.0.0

172.16.0.0/24 is subnetted, 5 subnets
C 172.16.50.0 is directly connected, Vlan50
C 172.16.10.0 is directly connected, Vlan10
C 172.16.6.0 is directly connected, Vlan6
C 172.16.1.0 is directly connected, Vlan100
C 172.16.2.0 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 172.16.1.254

I havve applied and followed the same steps but by default everything from inside to outside is allowed but I want to block all inside to outside internet access and allow particular protocols on inside network. On some particular VLAN

show running-config access-list
access-list icmp extended permit icmp any any
access-list ANYCONNECT-ACL standard permit 172.16.10.0 255.255.255.0
access-list IPSEC-ACL extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list IPSEC-ACL extended permit icmp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 179 extended permit ip any any

******

show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list icmp; 1 elements; name hash: 0xd0afc639
access-list icmp line 1 extended permit icmp any any (hitcnt=0) 0x0d89bf2f
access-list ANYCONNECT-ACL; 1 elements; name hash: 0x641bbe77
access-list ANYCONNECT-ACL line 1 standard permit 172.16.10.0 255.255.255.0 (hitcnt=0) 0x89ce4221
access-list IPSEC-ACL; 2 elements; name hash: 0x3241599b
access-list IPSEC-ACL line 1 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x9aec448f
access-list IPSEC-ACL line 2 extended permit icmp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xb9baf087
access-list 179; 1 elements; name hash: 0x5730afd6
access-list 179 line 1 extended permit ip any any (hitcnt=0) 0x64d1b9b8

That's also weird nothing hit on my ACL at all. Neither VPN.

For the nat, it's just to exempt nat for communication between your internal hosts and vpn hosts.
For vpn idle timeout check here's on Cisco doc:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-groups.html#ID-2439-00000954
Search for vpn-idle-timeout.

For acl, I'm sorry but maybe missing something because i don't understand your issues. You're showing your routing table.
Tell me what acl have you implemented exactly and what you're trying to access.

Thanks