I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.
However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.
In other words, it will let me do:
access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site
but won't let me do:
access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www
Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:
access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www
Of course that doesn't really do me much good.
Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?
Thanks for your assistance.