02-26-2020 07:48 AM
Hi
I would like to see how extended access lists are created for a VPN in a Cisco ASA. I have seen several VPN creation tutorials but all of them are standard access lists, I need to change my current standard access lists to extended ones in my VPN / Cisco AnyConnect. What should I keep in mind when replacing these access lists?
sorry for my English.
thanks.
ASA 5525
ASA Version 9.6(3)1
Solved! Go to Solution.
02-26-2020 11:38 AM
as said earlier standard ACLs are used when the source network in the traffic is not important. In anyconnet vpn you always use standard ACL not extended ACL. why you want to put the extended ACL.
works this works because your source network is not important
access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155
split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:
02-26-2020 10:20 AM
standard ACLs are used when the source network in the traffic is not important. These ACLS are used by processes like OSPF and VPN tunnels (such as anyconnect).
02-26-2020 11:19 AM
thanks for the reply.
I detail my query:
I have standard ACLS configured in an AnyConnect VPN (site to client), but I want to change it to an extended ACL.
I already made the change but it doesn't work for me, this is an example, with ACL standard works with extended ACL does not work:
works
access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155
it does not work
access-list splittunnel-acl-VPN_USER-ext extended permit ip any host 192.168.76.155
02-26-2020 11:38 AM
as said earlier standard ACLs are used when the source network in the traffic is not important. In anyconnet vpn you always use standard ACL not extended ACL. why you want to put the extended ACL.
works this works because your source network is not important
access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155
split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:
02-26-2020 12:12 PM
Perfect!
That is exactly what I need, to filter services (ports) in the ACLS VPN.
I am very clear your answer, thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide