Hi,

One of my clients has a company network consisting of 4 ASA5505s. The network looks like this:

(  HUB , 192.168.9.0/24    )

^                              ^                               ^

^                              ^                               ^

(spoke, 4.0/24)   (spoke, 8.0/24)   (spoke, 12.0/24)

Hub and spoke configuration where we want all private networks to be able to talk to each other. Some tunnels are dynamic l2l, others are static l2l.

I was wondering is it possible for the Tunnel ACLs to use supernets?

For example on the spokes do something like:

access-list 100 extended permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.0.0

Since all of our Private networks are 192.168.x.x subnets? We want to avoid having to update all the spokes if we introduce another site into the VPN Network.

And on Hub something like:

access-list to_site1 extended permit ip 192.168.0.0 255.255.0.0 192.168.4.0 255.255.255.0

access-list to_site2 extended permit ip 192.168.0.0 255.255.0.0 192.168.8.0 255.255.255.0

So we don't have to add access lists everytime a new site is added?

Just wondering if this would work, or would be considered best practice.

Thanks in advance.