cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
342
Views
0
Helpful
6
Replies
Highlighted
Beginner

SplitTunnel ACLs

I have a 3rd party that manages a number of servers for a client.  Only the static IP on the outside interface of the client's ASA-5510 is allowed to access the servers.  They use Split Tunneling on their ASA-5510, so VPN traffic bound for those servers must go through the tunnel.  That is simple.  The information below shows the ACLs that are in place and working.  However, I would like to create an object-group for those IP addresses.  I tried the object-group code below, but it didn't work.

ACLs that are working:

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP1
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP2

access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP3
access-list VPN_Users_splitTunnelAcl standard permit host STATIC_IP4

What I would prefer to use is:

access-list VPN_Users_splitTunnelAcl extended permit ip any object-group MY_OBJECT_GROUP

What am I doing wrong here?  I ran out of testing time this evening and thought I would go ahead and post this here.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.

Please rate if it helps.

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Highlighted

Pevaneyn,

Is there any way to create a Standard ACL that uses an object-group?  I couldn't find one.

Highlighted

Hi again,

I fear not. You cannot use object-groups in standard access lists.

You can see this in the command reference entry for standard access lists.

Sorry, Peter

Highlighted
Rising star

Have you applied this filter ACL properly?  The config that you have here should work as far as the ACL, but it's useless if not applied to the group ploicy as follows:

group-policy My-VPN-Group-Policy attributes
vpn-filter value VPN_Users_splitTunnelAcl

Try this and let me know how it works for you.....

Please rate if it helps.

Highlighted

antonioknox,

Yes.  I have those lines in my config.  I can get the Standard ACLs to work.  I just want to use an object-group and couldn't find a way to do that without using an Extended ACL.

Highlighted

Oh, okay.  Bad news, dude. That won't be possible, object groups cannot be used in a standard ACL.

Please rate if it helps.

View solution in original post