I have a 3rd party that manages a number of servers for a client. Only the static IP on the outside interface of the client's ASA-5510 is allowed to access the servers. They use Split Tunneling on their ASA-5510, so VPN traffic bound for those servers must go through the tunnel. That is simple. The information below shows the ACLs that are in place and working. However, I would like to create an object-group for those IP addresses. I tried the object-group code below, but it didn't work.
ACLs that are working:
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP1
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP2
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP3
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP4
What I would prefer to use is:
access-list VPN_Users_splitTunnelAcl extended permit ip any object-group MY_OBJECT_GROUP
What am I doing wrong here? I ran out of testing time this evening and thought I would go ahead and post this here.
Thanks in advance!
Solved! Go to Solution.
You can only use a standard access-list for the split-tunnel ACL, see:
I hope this helps
I fear not. You cannot use object-groups in standard access lists.
You can see this in the command reference entry for standard access lists.
Have you applied this filter ACL properly? The config that you have here should work as far as the ACL, but it's useless if not applied to the group ploicy as follows:
group-policy My-VPN-Group-Policy attributes
vpn-filter value VPN_Users_splitTunnelAcl
Try this and let me know how it works for you.....
Please rate if it helps.
Yes. I have those lines in my config. I can get the Standard ACLs to work. I just want to use an object-group and couldn't find a way to do that without using an Extended ACL.