09-09-2010 09:14 PM
I have a 3rd party that manages a number of servers for a client. Only the static IP on the outside interface of the client's ASA-5510 is allowed to access the servers. They use Split Tunneling on their ASA-5510, so VPN traffic bound for those servers must go through the tunnel. That is simple. The information below shows the ACLs that are in place and working. However, I would like to create an object-group for those IP addresses. I tried the object-group code below, but it didn't work.
ACLs that are working:
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP1
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP2
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP3
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP4
What I would prefer to use is:
access-list VPN_Users_splitTunnelAcl extended permit ip any object-group MY_OBJECT_GROUP
What am I doing wrong here? I ran out of testing time this evening and thought I would go ahead and post this here.
Thanks in advance!
Solved! Go to Solution.
09-10-2010 06:59 AM
Oh, okay. Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.
Please rate if it helps.
09-10-2010 01:40 AM
Hello,
You can only use a standard access-list for the split-tunnel ACL, see:
I hope this helps
Peter
09-10-2010 06:25 AM
Pevaneyn,
Is there any way to create a Standard ACL that uses an object-group? I couldn't find one.
09-10-2010 07:22 AM
Hi again,
I fear not. You cannot use object-groups in standard access lists.
You can see this in the command reference entry for standard access lists.
Sorry, Peter
09-10-2010 05:40 AM
Have you applied this filter ACL properly? The config that you have here should work as far as the ACL, but it's useless if not applied to the group ploicy as follows:
group-policy My-VPN-Group-Policy attributes
vpn-filter value VPN_Users_splitTunnelAcl
Try this and let me know how it works for you.....
Please rate if it helps.
09-10-2010 06:27 AM
antonioknox,
Yes. I have those lines in my config. I can get the Standard ACLs to work. I just want to use an object-group and couldn't find a way to do that without using an Extended ACL.
09-10-2010 06:59 AM
Oh, okay. Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.
Please rate if it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide