how to create a ACL to allow multiple IP addresses to access to one PC?

LionKin1984 · ‎12-20-2013

Hello everyone

we have a small network consists of 50+ clients and 1 server, and there is a ASA 5512-x between the server and clients, all those 50+ clients are required to have access to the server, so instead of creating 50+ ACLs is there a easier way to do this? (global ACL is not an option here)

Cheers

Karsten Iwen · ‎12-20-2013

Configure an object-group with the 50 IPs and use that object-group as the source in your ACL.

object-group network CLIENTS

network-object host 10.10.10.1

network-object host 10.10.10.3

network-object host 10.10.10.9

network-object host 10.10.10.15

access-list ACL extended permit ip object-group CLIENTS host SERVER-IP

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

LionKin1984 · ‎12-20-2013

thanks for your reply Karsten, problme is the 50 clients are splitted into 4 different subnet...

Collin Clark · ‎12-20-2013

Set the security level for both interfaces the same and enable same-security-interface

jss.cisco · ‎12-20-2013

Karsten is correct. As long as your 4 different subnets are ingressing on the same interface, then create your object group using the IP's that you need.

As Colin mentioned, you can use 'same-security-traffic permit inter-interface', but in my opinion, that defeats the purpose of using a firewall to begin with. (Of course there are scenarios where you may need this).

Collin Clark · ‎12-20-2013

As Colin mentioned, you can use 'same-security-traffic permit inter-interface', but in my opinion, that defeats the purpose of using a firewall to begin with. (Of course there are scenarios where you may need this).

Can you explain why you think it defeats the purpose?

LionKin1984 · ‎12-20-2013

security level is made redundant once ACL is in place is it?

Collin Clark · ‎12-20-2013

Adding an ACL to an interface does not change the security level. Security levels are conifgured and they do not change unless you explicity change them.