05-27-2011 12:42 AM
Hi,
One of my clients has a company network consisting of 4 ASA5505s. The network looks like this:
( HUB , 192.168.9.0/24 )
^ ^ ^
^ ^ ^
(spoke, 4.0/24) (spoke, 8.0/24) (spoke, 12.0/24)
Hub and spoke configuration where we want all private networks to be able to talk to each other. Some tunnels are dynamic l2l, others are static l2l.
I was wondering is it possible for the Tunnel ACLs to use supernets?
For example on the spokes do something like:
access-list 100 extended permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.0.0
Since all of our Private networks are 192.168.x.x subnets? We want to avoid having to update all the spokes if we introduce another site into the VPN Network.
And on Hub something like:
access-list to_site1 extended permit ip 192.168.0.0 255.255.0.0 192.168.4.0 255.255.255.0
access-list to_site2 extended permit ip 192.168.0.0 255.255.0.0 192.168.8.0 255.255.255.0
So we don't have to add access lists everytime a new site is added?
Just wondering if this would work, or would be considered best practice.
Thanks in advance.
Solved! Go to Solution.
05-27-2011 04:29 AM
This should work.
05-27-2011 04:29 AM
This should work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: