To Help Saving some typing, I was thinking of using Object-Groups for my ACLs.
I have about 8 Subnets that some are on one side of a VPN and some are on the other. In order to get the ACLs to allow traffic to pass from one another I have to create a matrix of one subnet to all of the others, so my ACLs get to be huge.
Can I do this?
object-group protocol VPN-PROTOCOLS protocol-object ip protocol-object tcp protocol-object udp protocol-object icmp object-group network NETWORK-VPN-ALL network-object 10.1.0.0 255.255.0.0 network-object 10.2.0.0 255.255.0.0 network-object 10.3.0.0 255.255.0.0 network-object 10.6.0.0 255.255.0.0 network-object 10.10.0.0 255.255.0.0 network-object 10.11.0.0 255.255.0.0 network-object 10.12.0.0 255.255.0.0 network-object 10.13.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit object-group VPN-PROTOCOLS object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL
access-list outside_nat0_inbound extended permit object-group VPN-PROTOCOLS object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL
access-list outside_cryptomap_40 extended permit object-group VPN-PROTOCOLS object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL
So would that give me something like:
access-list extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
255.255.0.0 access-list extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0 ... access-list extended permit ip 10.13.0.0 255.255.0.0 10.11.0.0 255.255.0.0 access-list extended permit ip 10.13.0.0 255.255.0.0 10.12.0.0 255.255.0.0Thanks