×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

object-group command with access-list not working properly

Unanswered Question
Mar 14th, 2003
User Badges:

I am using Cisco PIX version 6.2(2).


object-group network norm_nat_hosts

  network-object 192.168.11.1 255.255.255.255

  network-object 192.168.11.2 255.255.255.255

  network-object 192.168.11.3 255.255.255.255

  network-object 192.168.11.4 255.255.255.255

object-group service norm_allow_ports tcp

  port-object eq www

  port-object eq domain

  port-object eq https

  port-object eq ftp-data

  port-object eq ftp

  port-object eq 8100

  port-object eq 8080

access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports



But, I find that each of those host in norm_nat_hosts are allowed to open all ports from their machines instead of those specified in norm_allow_ports.


But, if I put each host seperately (as shown below), then only those allowed ports are opened.



access-list acl4inside permit tcp host 192.168.11.1 eq www any

access-list acl4inside permit tcp host 192.168.11.1 eq 53 any

access-list acl4inside permit tcp host 192.168.11.1 eq 443 any

access-list acl4inside permit tcp host 192.168.11.1 eq 20 any

.........

.......etc



This will go to 28 lines. While the new syntax is supposed to do the same in lesser number of lines.


What have I done wrong ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You aren't comparing apples to apples. You acl statement that use object groups has any in a different place - it sez from these hosts, on any ports, make connections to any machines on object-group norm_allow_ports.


I think that:


access-list acl4inside permit tcp object-group norm_nat_hosts object-group norm_allow_port any


will do what you are seeking - allow norm_nat_hosts make connections to anyone from only norm_allow_ports



josephsilvin Sat, 03/15/2003 - 03:13
User Badges:

My objective is to convert from old outbound to new access-list and then deploy the object-group to simplify the configuration. The details are as follows:


Old configuration:


global (outside) 1 62.12.4.19

nat (inside) 1 192.168.11.11 255.255.255.255 0 0

outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 10 permit 192.168.11.11 255.255.255.255 80 tcp

apply (inside) 10 outgoing_src


New sysntax:


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


global (outside) 1 62.12.4.19

nat (inside) 1 192.168.11.11 255.255.255.255 0 0

access-list 101 permit tcp host 192.168.11.11 any eq 80

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 62.12.4.1 1


In the first case only port 80 is allowed out. All others are blocked. In the new sysntax, all ports are allowed out from


192.168.11.11/24 on the inside interface.


What is wrong in this configuration? I am using PIX 6.2(2)

gfullage Sun, 03/16/2003 - 18:58
User Badges:
  • Cisco Employee,

This config should be blocking any traffic that is intiated from this internal host unless it has a destination port og 80 (http). What are you seeing that shows all ports are allowed out? Can you show us the syslog in the PIX that shows a connection being built outbound from this host for a port other than 80 please?

josephsilvin Sun, 03/16/2003 - 21:12
User Badges:

I have done the following:


access-list 101 permit tcp host 192.168.11.11 any eq 80

access-list 101 deny ip any any

access-group 101 in interface inside


After some testing (for ports www, smtp, ssh etc.), the show access-list command gives the following output:-


access-list 101 permit tcp host 192.168.11.11 any eq www (hitcnt=0)

access-list 101 deny ip any any (hitcnt=46)


This would be interpreted as follows (I guess) - all ports are going to the deny statement rather than allowing port 80 traffic.


This happens when the access-list is applied to the inside interface. If not applied, then all ports are allowed as traffic from the more secure interface is allowed by default to go to the less secure interface. If applied, nothing is allowed to go out....why ?


What next ?

josephsilvin Mon, 03/17/2003 - 00:37
User Badges:

The objective (say) is to browse - i.e one will try to send packets to the destination ip's port 80 from source ip's higher ports.


Since, the syntax is :


access-list permit tcp


So, it will be in this case

access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports


where

object-group norm_nat_hosts = source ip

any = destination ip

group norm_allow_ports = destination port


Actions

This Discussion