Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1771
Views
0
Helpful
4
Replies

Extended ACLs for VPN in Cisco ASA

Go to solution
danielmanqui
Level 1
Level 1

‎02-26-2020 07:48 AM

Hi
I would like to see how extended access lists are created for a VPN in a Cisco ASA. I have seen several VPN creation tutorials but all of them are standard access lists, I need to change my current standard access lists to extended ones in my VPN / Cisco AnyConnect. What should I keep in mind when replacing these access lists?

sorry for my English.

thanks.

 

ASA 5525

ASA Version 9.6(3)1

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to danielmanqui

‎02-26-2020 11:38 AM

as said earlier standard ACLs are used when the source network in the traffic is not important. In anyconnet vpn you always use standard ACL not extended ACL. why you want to put the extended ACL.

 

works    this works because your source network is not important

access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155

 

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

please do not forget to rate.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sheraz.Salim
VIP
VIP

‎02-26-2020 10:20 AM

standard ACLs are used when the source network in the traffic is not important. These ACLS are used by processes like OSPF and VPN tunnels (such as anyconnect).

please do not forget to rate.
0 Helpful

Go to solution
danielmanqui
Level 1
Level 1
In response to Sheraz.Salim

‎02-26-2020 11:19 AM

thanks for the reply.
I detail my query:
I have standard ACLS configured in an AnyConnect VPN (site to client), but I want to change it to an extended ACL.
I already made the change but it doesn't work for me, this is an example, with ACL standard works with extended ACL does not work:

 

works

access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155

 

it does not work

access-list splittunnel-acl-VPN_USER-ext extended permit ip any host 192.168.76.155

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to danielmanqui

‎02-26-2020 11:38 AM

as said earlier standard ACLs are used when the source network in the traffic is not important. In anyconnet vpn you always use standard ACL not extended ACL. why you want to put the extended ACL.

 

works    this works because your source network is not important

access-list splittunnel-acl-VPN_USER standard permit host 192.168.76.155

 

 

split tunnel purpose is to push a reverse route to the client, this wont work with a extended acl and actually, even if you define it, it wont solve the purpose. If you wish to define the port restriction, you can use vpn filter:

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

please do not forget to rate.
0 Helpful

Go to solution
danielmanqui
Level 1
Level 1
In response to Sheraz.Salim

‎02-26-2020 12:12 PM

Perfect!
That is exactly what I need, to filter services (ports) in the ACLS VPN.
I am very clear your answer, thank you very much.

0 Helpful
Customers Also Viewed These Support Documents