Solved: object groups in ACL

tachyon05 · ‎01-28-2010

i use object groups for my cisco 1800 routers. the egress acl has a line (shown below) that permits staff to initiate remote desktop (RDP) connections from their computers on the office network vlan1 to any other computer.

permit object-group rdp_ports object-group vlan1 any

staff also need to vpn in from home and use RDP to access their office computers from home. however, they cannot. i appended a line at the end of the egress acl to log everything and found this when i do a show log:

list egress denied tcp 172.16.253.126(3389) -> 10.253.10.2(55661)

this shows that i need to allow computers on vlan1 (172.16.253.0/24) with a source port of 3389 to go anywhere (10.253.10.0/24 is the vpn address of the home computer in this case). i appended the following line to the acl and it worked and staff can remote in and do RDP.

permit tcp object-group vlan1 eq 3389 any

question: how can i convert the line above to use object-group rdp_ports (shown below)? i would like this include ports for both PCs and MACs and special RDP ports.

object-group service rdp_ports
tcp 3389
tcp-udp 3283
tcp 5900
tcp 5988

tcp 3390

Kureli Sankar · ‎02-02-2010

I will file a documentation defect to correct the link that I pasted in my previous response.

Service object-group has to be before the source object-group.

Here is how you can use source and destination port configurations.

Object-group service srv-obj
tcp source 53 ------- source port - 53
tcp 23 ------- destination port - 23

To add more than one source port in a single Object group -

Object-group service srv-og
Tcp source 53
tcp source 80
udp source 67
udp source 68

Then you can call this service port first then, source object-group then, destination object-group.

I hope it is clear.

-KS

View solution in original post

Jon Marshall · ‎01-28-2010

tachyon05 wrote:

i use object groups for my cisco 1800 routers. the egress acl has a line (shown below) that permits staff to initiate remote desktop (RDP) connections from their computers on the office network vlan1 to any other computer.

permit object-group rdp_ports object-group vlan1 any

staff also need to vpn in from home and use RDP to access their office computers from home. however, they cannot. i appended a line at the end of the egress acl to log everything and found this when i do a show log:

list egress denied tcp 172.16.253.126(3389) -> 10.253.10.2(55661)

this shows that i need to allow computers on vlan1 (172.16.253.0/24) with a source port of 3389 to go anywhere (10.253.10.0/24 is the vpn address of the home computer in this case). i appended the following line to the acl and it worked and staff can remote in and do RDP.

permit tcp object-group vlan1 eq 3389 any

question: how can i convert the line above to use object-group rdp_ports (shown below)? i would like this include ports for both PCs and MACs and special RDP ports.

object-group service rdp_ports
tcp 3389
tcp-udp 3283
tcp 5900
tcp 5988

tcp 3390

permit tcp object-group vlan1 object-group rdp_ports any

Jon

tachyon05 · ‎01-28-2010

unfortunately, that does not work. i get an error "object group type mismatch". where you had the service object-group rdp_ports, it was expecting a network object-group - see below.

Branch-Test(config)#ip access-list extended egress
Branch-Test(config-ext-nacl)#permit ?
<0-255>       An IP protocol number
ahp           Authentication Header Protocol
eigrp         Cisco's EIGRP routing protocol
esp           Encapsulation Security Payload
gre           Cisco's GRE tunneling
icmp          Internet Control Message Protocol
ip            Any Internet Protocol
ipinip        IP in IP tunneling
nos           KA9Q NOS compatible IP over IP tunneling
object-group Service object group
pcp           Payload Compression Protocol
tcp           Transmission Control Protocol
udp           User Datagram Protocol

Branch-Test(config-ext-nacl)#permit tcp ?
A.B.C.D       Source address
any           Any source host
host          A single source host
object-group Source network object group

Branch-Test(config-ext-nacl)#permit tcp object-group ?
WORD Source network object group name

Branch-Test(config-ext-nacl)#permit tcp object-group vlan1 ?
A.B.C.D       Destination address
any           Any destination host
eq            Match only packets on a given port number
gt            Match only packets with a greater port number
host          A single destination host
lt            Match only packets with a lower port number
neq           Match only packets not on a given port number
object-group Destination network object group
range         Match only packets in the range of port numbers

Branch-Test(config-ext-nacl)#permit tcp object-group vlan1 object-group ?
WORD Destination network object group name

Kureli Sankar · ‎01-28-2010

I appears you need to add the service object-group before the source object-group. I quickly tested it on a router.

But, this link says it is possible.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1077475

Creating a Network Object Group: Example

The following example shows how to create a network object group named my_network_object_group, which contains two hosts, a range of IP addresses, and a subnet as objects.

Router> enable

Router# configure terminal

Router(config)# object-group network my_network_object_group

Router(config-network-group)# host 209.165.200.237

Router(config-network-group)# host 209.165.200.238

Router(config-network-group)# range 209.165.200.239 209.165.200.240

Creating a Service Object Group: Example

The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects.

Router> enable

Router# configure terminal

Router(config)# object-group service my_service_object_group

Router(config-service-group)# icmp echo

Router(config-service-group)# tcp smtp

Router(config-service-group)# tcp telnet

Router(config-service-group)# tcp source range 1 65535 snmp

Router(config-service-group)# udp domain

Router(config-service-group)# tcp-udp range 2000 2005

Router(config-service-group)# group-object sjc_eng_svcs

Creating an Object Group-Based ACL: Example

The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group.

Router> enable

Router# configure terminal

Router(config)# ip access-list extended my_ogacl_policy

Router(config-ext-nacl)# permit tcp object-group my_network_object_group object-group my_service_object_group any

Router(config-ext-nacl)# deny tcp any any

Router(config-ext-nacl)# exit

Router(config)# exit

Even if you copy and paste the example above it does not work. 
I get the same error you got which is "Object group type mismatch. There is something wrong.  
I will check this out for you.

-KS

Kureli Sankar · ‎02-02-2010

I will file a documentation defect to correct the link that I pasted in my previous response.

Service object-group has to be before the source object-group.

Here is how you can use source and destination port configurations.

Object-group service srv-obj
tcp source 53 ------- source port - 53
tcp 23 ------- destination port - 23

To add more than one source port in a single Object group -

Object-group service srv-og
Tcp source 53
tcp source 80
udp source 67
udp source 68

Then you can call this service port first then, source object-group then, destination object-group.

I hope it is clear.

-KS

dain.deutschman · ‎11-17-2010

Here is an example I was able to get working using a service group on an FWSM:

! Here is the object group for protocols. Notice I did not specify port numbers, only the protocols.

! This implies that ALL ports available for a protocol will be included

!

object-group protocol daintestPROTOCOL

protocol-object icmp

protocol-object tcp

protocol-object udp

!

! Here is the service group. With a service group, you can specify protocol, port number AND eq, lt, gt, range etc.

!

object-group service daintestSERVICE

service-object udp eq domain

service-object tcp eq www

service-object tcp eq https

!

! The source networks

!

object-group network daintestNETWORK

network-object 10.1.1.0 255.255.255.0

network-object 10.2.2.0 255.255.255.0

!

! The destination networks

!

object-group network daintestNETWORK2

network-object 30.30.30.0 255.255.255.0

network-object 40.40.40.0 255.255.255.0

!

!This line permits source networks to destination with protocols icmp, tcp and udp ALL ports and types

access-list daintest extended permit object-group daintestPROTOCOL object-group daintestNETWORK object-group daintestNETWORK2

!

!This line, which uses a service group permits source networks to destination networks with tcp 80 and 443 and udp 53

!

access-list daintest extended permit object-group daintestSERVICE object-group daintestNETWORK object-group daintestNETWORK2

Thanks,

Dain

amarnath-praveen · ‎04-22-2018

how the below acl works with multiple object group. please help

access-list outside_in line 13 extended permit object-group DM_INLINE_SERVICE_6 any object-group DM_INLINE_NETWORK_17 (hitcnt=4) 0xa56a1518
access-list outside_in line 14 extended permit object-group DM_INLINE_SERVICE_6 any object obj_ItunesTest (hitcnt=9990) 0xf36f97c1
access-list outside_in line 15 extended permit object-group DM_INLINE_SERVICE_6 any object-group NAT-Health (hitcnt=134) 0x6b78a