I am using Cisco PIX version 6.2(2).
object-group network norm_nat_hosts
network-object 192.168.11.1 255.255.255.255
network-object 192.168.11.2 255.255.255.255
network-object 192.168.11.3 255.255.255.255
network-object 192.168.11.4 255.255.255.255
object-group service norm_allow_ports tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp-data
port-object eq ftp
port-object eq 8100
port-object eq 8080
access-list acl4inside permit tcp object-group norm_nat_hosts any object-group norm_allow_ports
But, I find that each of those host in norm_nat_hosts are allowed to open all ports from their machines instead of those specified in norm_allow_ports.
But, if I put each host seperately (as shown below), then only those allowed ports are opened.
access-list acl4inside permit tcp host 192.168.11.1 eq www any
access-list acl4inside permit tcp host 192.168.11.1 eq 53 any
access-list acl4inside permit tcp host 192.168.11.1 eq 443 any
access-list acl4inside permit tcp host 192.168.11.1 eq 20 any
This will go to 28 lines. While the new syntax is supposed to do the same in lesser number of lines.
What have I done wrong ?