service object-group

Unanswered Question
Oct 27th, 2009

I want to replace the following:

access-list 101 permit tcp host 192.168.50.100 eq www any

access-list 101 permit tcp host 192.168.50.100 eq 443 any

I figured I could just create a service group and create the ACL.

conf t

object-group service WebServices

tcp www

tcp 443

ip access-list extended 188

permit tcp host 192.168.50.100 eq WebServices ( <--problem here)

'permit tcp host 192.168.50.100 eq ?' doesn't give me the option of adding a service object group. 'permit tcp host 192.168.50.100 ?' only allows network object groups. And applying the service object group at 'permit ?' doesn't make sense (don't know if it's source or destination ports). When I look here: http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1113487 It says I should be able to put a service object group directly behind the network object group. But this isn't the case for me. 'permit tcp object-group WebServers ?' only allows network object groups. I'm running Version 12.4(24)T1 on a 7206. Anyone know how to use this properly? TIA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/27/2009 - 14:18

Try removing the TCP keyword. Here's the line that worked for me.

access-list 188 permit object-group WebServices host 192.168.50.100 any

thotsaphon Tue, 10/27/2009 - 15:35

Steven,

Based on the document you provided. You want the service object group to be applied on the source addresses. Object group won't work the way you want. It's because of the service object group can be only applied on the destination. Why? If you read that document clearly. It says that the service object group is only to replace the protocol keyword in ACE. You can't use the service object group after the eq keyword. (grin)

The network object group is simply used as Src or Dest IP addresses in ACE.

The example provided by Collin is the correct syntax for permiting host 192.168.50.100 to go to any IP address with WebServices. It's something like this "permit ip host 192.168.50.100 any eq [www&443]"

HTH,

Toshi

snickered Tue, 10/27/2009 - 17:08

It still doesn't make sense to me. I want to understand why I can't issue the command 'permit tcp object-group my_network_object_group object-group

my_service_object_group any' like in the document. After the network object group I'm only allowed to issue another network object group. The syntax supplied in the document looks like I can use it the way I need to but it simply doesn't work. Here's what I see:

Router(config-ext-nacl)#permit tcp object-group WebServers ?

A.B.C.D Destination address

any Any destination host

eq Match only packets on a given port number

gt Match only packets with a greater port number

host A single destination host

lt Match only packets with a lower port number

neq Match only packets not on a given port number

object-group Destination network object group

range Match only packets in the range of port numbers

Router(config-ext-nacl)#permit tcp object-group WebServers

The document shows the next statement as 'object-group my_service_object_group' which would imply a service object group (not network object group). What gives?

Actions

This Discussion