01-28-2010 03:08 PM - edited 03-11-2019 10:02 AM
i use object groups for my cisco 1800 routers. the egress acl has a line (shown below) that permits staff to initiate remote desktop (RDP) connections from their computers on the office network vlan1 to any other computer.
permit object-group rdp_ports object-group vlan1 any
staff also need to vpn in from home and use RDP to access their office computers from home. however, they cannot. i appended a line at the end of the egress acl to log everything and found this when i do a show log:
list egress denied tcp 172.16.253.126(3389) -> 10.253.10.2(55661)
this shows that i need to allow computers on vlan1 (172.16.253.0/24) with a source port of 3389 to go anywhere (10.253.10.0/24 is the vpn address of the home computer in this case). i appended the following line to the acl and it worked and staff can remote in and do RDP.
permit tcp object-group vlan1 eq 3389 any
question: how can i convert the line above to use object-group rdp_ports (shown below)? i would like this include ports for both PCs and MACs and special RDP ports.
object-group service rdp_ports
tcp 3389
tcp-udp 3283
tcp 5900
tcp 5988
tcp 3390
Solved! Go to Solution.
02-02-2010 06:02 AM
I will file a documentation defect to correct the link that I pasted in my previous response.
Service object-group has to be before the source object-group.
Here is how you can use source and destination port configurations.
Object-group service srv-obj
tcp source 53 ------- source port - 53
tcp 23 ------- destination port - 23
To add more than one source port in a single Object group -
Object-group service srv-og
Tcp source 53
tcp source 80
udp source 67
udp source 68
Then you can call this service port first then, source object-group then, destination object-group.
I hope it is clear.
-KS
01-28-2010 04:19 PM
tachyon05 wrote:
i use object groups for my cisco 1800 routers. the egress acl has a line (shown below) that permits staff to initiate remote desktop (RDP) connections from their computers on the office network vlan1 to any other computer.
permit object-group rdp_ports object-group vlan1 any
staff also need to vpn in from home and use RDP to access their office computers from home. however, they cannot. i appended a line at the end of the egress acl to log everything and found this when i do a show log:
list egress denied tcp 172.16.253.126(3389) -> 10.253.10.2(55661)
this shows that i need to allow computers on vlan1 (172.16.253.0/24) with a source port of 3389 to go anywhere (10.253.10.0/24 is the vpn address of the home computer in this case). i appended the following line to the acl and it worked and staff can remote in and do RDP.
permit tcp object-group vlan1 eq 3389 any
question: how can i convert the line above to use object-group rdp_ports (shown below)? i would like this include ports for both PCs and MACs and special RDP ports.
object-group service rdp_ports
tcp 3389
tcp-udp 3283
tcp 5900
tcp 5988tcp 3390
permit tcp object-group vlan1 object-group rdp_ports any
Jon
01-28-2010 04:41 PM
unfortunately, that does not work. i get an error "object group type mismatch". where you had the service object-group rdp_ports, it was expecting a network object-group - see below.
Branch-Test(config)#ip access-list extended egress
Branch-Test(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
pcp Payload Compression Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Branch-Test(config-ext-nacl)#permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
object-group Source network object group
Branch-Test(config-ext-nacl)#permit tcp object-group ?
WORD Source network object group name
Branch-Test(config-ext-nacl)#permit tcp object-group vlan1 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
object-group Destination network object group
range Match only packets in the range of port numbers
Branch-Test(config-ext-nacl)#permit tcp object-group vlan1 object-group ?
WORD Destination network object group name
01-28-2010 08:54 PM
I appears you need to add the service object-group before the source object-group. I quickly tested it on a router.
But, this link says it is possible.
The following example shows how to create a network object group named my_network_object_group, which contains two hosts, a range of IP addresses, and a subnet as objects.
Router> enable
Router# configure terminal
Router(config)# object-group network my_network_object_group
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects.
Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 snmp
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs
The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group.
Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit tcp object-group my_network_object_group object-group my_service_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit
Even if you copy and paste the example above it does not work.
I get the same error you got which is "Object group type mismatch. There is something wrong.
I will check this out for you.
-KS
02-02-2010 06:02 AM
I will file a documentation defect to correct the link that I pasted in my previous response.
Service object-group has to be before the source object-group.
Here is how you can use source and destination port configurations.
Object-group service srv-obj
tcp source 53 ------- source port - 53
tcp 23 ------- destination port - 23
To add more than one source port in a single Object group -
Object-group service srv-og
Tcp source 53
tcp source 80
udp source 67
udp source 68
Then you can call this service port first then, source object-group then, destination object-group.
I hope it is clear.
-KS
11-17-2010 09:31 AM
Here is an example I was able to get working using a service group on an FWSM:
! Here is the object group for protocols. Notice I did not specify port numbers, only the protocols.
! This implies that ALL ports available for a protocol will be included
!
object-group protocol daintestPROTOCOL
protocol-object icmp
protocol-object tcp
protocol-object udp
!
! Here is the service group. With a service group, you can specify protocol, port number AND eq, lt, gt, range etc.
!
object-group service daintestSERVICE
service-object udp eq domain
service-object tcp eq www
service-object tcp eq https
!
! The source networks
!
object-group network daintestNETWORK
network-object 10.1.1.0 255.255.255.0
network-object 10.2.2.0 255.255.255.0
!
! The destination networks
!
object-group network daintestNETWORK2
network-object 30.30.30.0 255.255.255.0
network-object 40.40.40.0 255.255.255.0
!
!This line permits source networks to destination with protocols icmp, tcp and udp ALL ports and types
access-list daintest extended permit object-group daintestPROTOCOL object-group daintestNETWORK object-group daintestNETWORK2
!
!This line, which uses a service group permits source networks to destination networks with tcp 80 and 443 and udp 53
!
access-list daintest extended permit object-group daintestSERVICE object-group daintestNETWORK object-group daintestNETWORK2
Thanks,
Dain
04-22-2018 05:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: