ASA5550 access-list with object-groups. Getting an error. Need help

Answered Question
Jun 21st, 2007

ASA 5550. Version 7.1(2). I'm getting the following error when configuring an access-list with object-groups:

ERROR: extra command argument(s)

Usage:

This is what i have. Don't know whats wrong. Please help.

object-group network XYZ_MGMT_NETS

description XYZ Management Networks

network-object 10.110.64.0 255.255.248.0

network-object 10.110.100.0 255.255.252.0

network-object 10.110.124.0 255.255.252.0

object-group service MGMT_APPS tcp-udp

description XYZ Management Apps

port-object eq 123

port-object eq tacacs

port-object eq 69

port-object eq 162

port-object eq 514

object-group protocol PROT

description protocols (tcp/udp) for XYZ Mgmt

protocol-object ip

protocol-object tcp

protocol-object udp

access-list acl_manage3 extended permit object-group PROT any object-group XYZ_MGMT_NETS object-group MGMT_APPS

I have this problem too.
0 votes
Correct Answer by nihpacsris about 9 years 5 months ago

Could there be a problem with your protocol group, -assuming I am reading it right, with an ip object inside of a tcp/udp protocol group? If tcp/udp protocols are a subset of ip will the protocol group still work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
nihpacsris Thu, 06/21/2007 - 10:53

Could there be a problem with your protocol group, -assuming I am reading it right, with an ip object inside of a tcp/udp protocol group? If tcp/udp protocols are a subset of ip will the protocol group still work?

mpala01 Thu, 06/21/2007 - 12:04

That was it. Thank you. I removed the "protocol-object ip" from the PROT object-group and voila it worked. Thanks once again.

Actions

This Discussion