04-12-2010 01:58 PM - edited 03-11-2019 10:32 AM
I am trying to limit the amount of typing by creating groups and adding an acl dependent on those groups, however i cannot get it to work. Attached you will see (hopefully) what I am trying to accomplish. I need to allow a few remote hosts to contact a set of servers using Terminal Services. Using acl's per device seems to work, but assignig one acl using "object-groups" is not working. What am I missing? Any help is appreciated!
PIX 525 version 7.2
object-group service Term_Service tcp
description Microsoft Terminal Services
port-object eq 3389
object-group service web tcp
description HTTP and HTTPS
port-object eq https
port-object eq www
object-group network Remote_Infinite_Campus
network-object host xx.21.235.8
network-object host xx.21.235.8
object-group network Local_Infinite_Campus
network-object host xx4.184.x.x30
network-object host xx4.184.x.x31
network-object host xx4.184.x.x32
network-object host xx4.184.x.x33
network-onject host xx4.184.x.x34
Object-group network All_Infinite_Campus
group-object network Local_Infinite_Campus
group-object network Remote_Infinite_Campus
access-list outside_in extended permit tcp object-group All_Infinite_Campus object-group Term_Service object-group web
access-list outside_in line 100 extended permit tcp host xx.21.235.8 host xx4.184.x.x30 eq 3389
access-list outside_in line 101 extended permit tcp host xx.21.235.8 host xx4.184.x.x31 eq 3389
access-list outside_in line 102 extended permit tcp host xx.21.235.8 host xx4.184.x.x32 eq 3389
access-list outside_in line 103 extended permit tcp host xx.21.235.8 host xx4.184.x.x33 eq 3389
access-list outside_in line 104 extended permit tcp host xx.21.235.8 host xx4.184.x.x34 eq 3389
access-list outside_in line 105 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in line 106 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in line 107 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in line 108 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in line 109 extended permit tcp xxx.225.137.0 255.255.255.0 host xx4.184.x.x34 eq 3389
04-12-2010 03:50 PM
The ACL should be as follows:
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web
Hope that helps.
04-13-2010 06:26 AM
Thanks halijenn for you response,
This is how the acl looks now, but it still is not working. When I create the individual acl statements for each connection it works fine and when issuing the "show acccess-list" command the statements look the same as they do when apllied with object-group.
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web
Thanks again!
04-13-2010 06:30 AM
What do you mean by it's not working?
For inbound connection, you also need a static translation statement. Do you have that?
04-13-2010 06:45 AM
I do have the static statements required:
static (inside,outside) xx4.184.x.x30 netmask 255.255.255.255
static (inside,outside) xx4.184.x.x31 netmask 255.255.255.255
static (inside,outside) xx4.184.x.x32 netmask 255.255.255.255
static (inside,outside) xx4.184.x.x33 netmask 255.255.255.255
static (inside,outside) xx4.184.x.x34 netmask 255.255.255.255
static (inside,outside) xx4.184.x.x35 netmask 255.255.255.255
When the statements look like this the connections are made:
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp host xx.21.x35.8 host xx4.184.x.x34 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x30 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x31 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x32 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x33 eq 3389
access-list outside_in extended permit tcp xxx.225.x37.0 255.255.255.0 host xx4.184.x.x34 eq 3389
Like this, 0 hit count, no connections made:
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group Term_Service
access-list outside_in extended permit tcp object-group Remote_Infinite_Campus object-group Local_Infinite_Campus object-group web
04-14-2010 03:47 AM
Have you applied your access-list on the outside interface as follows?
access-group outside_in in interface outside
04-14-2010 06:52 AM
Yes, "access-group outside_in in interface outside" is in place. I'm stuck!
04-14-2010 09:41 PM
Are you sure that the traffic is coming into the ASA? I would try clearing the arp on the router in front of the ASA and/or reloading it. You might want to make sure that the router is forwarding the traffic to the ASA.
Then try to connect and see if you see hit count.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: