Solved: ASA5550 access-list with object-groups. Getting an error. Need help

mpala01 · ‎06-21-2007

ASA 5550. Version 7.1(2). I'm getting the following error when configuring an access-list with object-groups:

ERROR: extra command argument(s)

Usage:

This is what i have. Don't know whats wrong. Please help.

object-group network XYZ_MGMT_NETS

description XYZ Management Networks

network-object 10.110.64.0 255.255.248.0

network-object 10.110.100.0 255.255.252.0

network-object 10.110.124.0 255.255.252.0

object-group service MGMT_APPS tcp-udp

description XYZ Management Apps

port-object eq 123

port-object eq tacacs

port-object eq 69

port-object eq 162

port-object eq 514

object-group protocol PROT

description protocols (tcp/udp) for XYZ Mgmt

protocol-object ip

protocol-object tcp

protocol-object udp

access-list acl_manage3 extended permit object-group PROT any object-group XYZ_MGMT_NETS object-group MGMT_APPS

nihpacsris · ‎06-21-2007

Could there be a problem with your protocol group, -assuming I am reading it right, with an ip object inside of a tcp/udp protocol group? If tcp/udp protocols are a subset of ip will the protocol group still work?

View solution in original post

nihpacsris · ‎06-21-2007

Could there be a problem with your protocol group, -assuming I am reading it right, with an ip object inside of a tcp/udp protocol group? If tcp/udp protocols are a subset of ip will the protocol group still work?

mpala01 · ‎06-21-2007

That was it. Thank you. I removed the "protocol-object ip" from the PROT object-group and voila it worked. Thanks once again.