网络工程 - 对象组的 ASA 访问列表 - 吾爱随笔录

我对ASA不太熟悉，有没有办法把这个ACL变成一个对象组并且更容易维护？

access-list VPN-ALLOCATIONS extended permit esp 172.16.1.128 255.255.255.252 172.16.32.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.32.128 255.255.255.252 172.16.1.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.1.128 255.255.255.252 172.16.2.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.2.128 255.255.255.252 172.16.1.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.1.128 255.255.255.252 172.16.10.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.10.128 255.255.255.252 172.16.1.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.1.128 255.255.255.252 172.16.33.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit esp 172.16.33.128 255.255.255.252 172.16.1.128 255.255.255.252
access-list VPN-ALLOCATIONS extended permit udp any any eq isakmp
access-list VPN-ALLOCATIONS extended permit icmp any any

这是我所做的尝试，但我觉得它可能超出了我的需要：

object-group network VPN-SITES
 network-object host 172.16.1.130
 network-object host 172.16.2.130
 network-object host 172.16.10.130
 network-object host 172.16.32.130
 network-object host 172.16.33.130
object-group protocol APPROVED-PROTO
 protocol-object esp
 protocol-object icmp
!
access-list TEST extended permit object-group APPROVED-PROTO object-group VPN-SITES object-group VPN-SITES
access-list TEST extended permit object-group APPROVED-PROTO host 172.16.1.130 object-group VPN-SITES
access-list TEST extended permit object-group APPROVED-PROTO object-group VPN-SITES host 172.16.1.130
access-list TEST extended permit udp host 172.16.1.130 eq isakmp object-group VPN-SITES eq isakmp
access-list TEST extended permit udp object-group VPN-SITES eq isakmp host 172.16.1.130 eq isakmp