07-11-2018 04:31 AM
Hello Experts,
I have cisco 1941 on site A and Cisco asa 5500 on the Site B. I have created IPSec tunnel within.
I want to Allow few host & ports from Site A to SIte B and vice versa.
On Site A we have 5 IPs :-
1. 10.10.10.1
2.10.10.10.2
3.10.10.10.169
4.10.10.10.175
On Site B we have 3 IPs:-
1. 172.16.16.10
2. 172.16.16.50
3. 172.16.16.174
And, only few ports needs to be allowed through the tunnel.
Ports:-80,8081
Ports:-6000-6002
Ports:-5500-5560
Now the question is:- is there any way to create group of these mentioned IPs and ports instead of creating long list and assigned into the access list?
07-13-2018 10:09 PM
Hi duahimanshu816, I don't know what version of FW do you have but, if you are asking about ASA, you can use object-group service for ports and object-group network for IP.
for example:
object-group network remote-lan
network-object host 10.10.10.1
network-object host 10.10.10.2
network-object host 10.10.10.169
network-object host 10.10.10.175
exit
object-group network local-lan
network-object host 172.16.16.10
network-object host 172.16.16.50
network-object host 172.16.16.174
exit
object-group service VPN-ports
service-object tcp destination eq 80
service-object tcp destination eq 8081
service-object tcp destination range 6000 6002
service-object tcp destination range 5500 5560
exit
then you can use remote-lan, local-lan and VPN-ports in your ACL.
access-list ACL-IN extended permit object-group VPN-ports object-group local-lan object-group remote-lan
access-list ACL_IN extended deny ip any any
Regards.-
07-16-2018 02:12 AM
Thank Matias for you reply, please I have done ASA the same way you said above,
what about the Router side Cisco 1941? Because i have read that cisco says dont use object group for Ipsec tunnel?
it will create some issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide