ASA5505 Object Groups in Access-List

Unanswered Question
Aug 12th, 2009

I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.


However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.


In other words, it will let me do:


access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site


but won't let me do:


access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www


Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:


access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www


Of course that doesn't really do me much good.


Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?


Thanks for your assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Wed, 08/12/2009 - 11:19

I tried on my box and it worked ????




######



ASA-5510-8x(config)# object-group network mynetwork

ASA-5510-8x(config-network)# net

ASA-5510-8x(config-network)# network-object host 1.1.1.1

ASA-5510-8x(config-network)# network-object host 2.2.2.2

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)# exit

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)# access-l testacl permit tcp any ob

ASA-5510-8x(config)# access-l testacl permit tcp any object-group mynetwork eq www

ASA-5510-8x(config)# sh access-l testacl

access-list testacl; 2 elements

access-list testacl line 1 extended permit tcp any object-group mynetwork eq www 0xf40a2caa

access-list testacl line 1 extended permit tcp any host 1.1.1.1 eq www (hitcnt=0) 0x11d45404

access-list testacl line 1 extended permit tcp any host 2.2.2.2 eq www (hitcnt=0) 0xf620c462



#######




hTH

sUSHIl


caplinktech Wed, 08/12/2009 - 12:10

Sloppiness from trying to do things in a hurry.


It was a capitalization error, must have typed too fast when typing the object group name and my "standards" didn't come in.


Thanks for getting me to slow down and think for a bit.

suschoud Wed, 08/12/2009 - 12:18

no problem....m in TAC and never saw that before...was kind of amazed by the behaviour.... :)


Cheers!!




Actions

This Discussion