«

To Help Saving some typing, I was thinking of using Object-Groups for my
ACLs.

I have about 8 Subnets that some are on one side of a VPN and some are on
the other. In order to get the ACLs to allow traffic to pass from one
another I have to create a matrix of one subnet to all of the others, so my
ACLs get to be huge.

Can I do this?

object-group protocol VPN-PROTOCOLS
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group network NETWORK-VPN-ALL
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.10.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 10.13.0.0 255.255.0.0

access-list outside_nat0_outbound extended permit object-group VPN-PROTOCOLS
object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL

access-list outside_nat0_inbound extended permit object-group VPN-PROTOCOLS
object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL

access-list outside_cryptomap_40 extended permit object-group VPN-PROTOCOLS
object-group NETWORK-VPN-ALL object-group NETWORK-VPN-ALL

So would that give me something like:

access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0
255.255.0.0
....
access-list <ACL-Name> extended permit ip 10.13.0.0 255.255.0.0 10.11.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.13.0.0 255.255.0.0 10.12.0.0
255.255.0.0



Thanks