02-17-2014 03:26 AM
Dear All,
Is there a way to assign more than one ACL to a VPN profile or implement a nested ACL structure?
I am trying to avoid modifing a large list of ACLs to insert the same ACE in each ACL bound to different VPN profiles.
02-17-2014 03:34 AM
Hi,
If we are talking about ASAs and VPN Filter ACLs then have you considered the option where you change the global setting
NOTE: The below setting should not be changed unless you know its effects in your environment
sysopt connection permit-vpn
to
no sysopt connection permit-vpn
So that you can handle all access control on your external interfaces interface ACL rather than with separate VPN Filter ACLs?
Naturally in an existing environment this might be a bit tricky to implement as BEFORE changing the above setting you would have to make sure that all the traffic required (or everything) from the VPN connections is allowed in the interface ACL.
Implementing this would eventually let you modify a single ACL (the external interface ACL) for all the rules that should apply to connections initiated from behind VPN Connections.
- Jouni
02-17-2014 03:38 AM
This would not fall in line with our requirements since the filters are all business specific and hence have separate access rules which would be a bit complex to regulate with a interface ACL.
My research with regards to nested ACLs has not proved fruitful hence I believe this option does not exist as yet.
02-17-2014 03:58 AM
Hi,
I know only the few basics ways to control the VPN users traffic they basically are
In some cases we might use a separate device to do the access control.
But I guess if the requirement is to have a specific ACL for each VPN user group then the original suggestion is not an option for you.
I was just thinking that using the same ACL would make it easier to generate the new configuration addiotion. Atleast in the sense that the ACL name for each rule would be the same. If you didnt make too broad ACL rules it would not really allow any connectivity between the different networks involved though that would also depend on the NAT configurations, not just the ACL.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide