Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

using an access-group in an access-list statement

Unanswered Question
Apr 11th, 2003
User Badges:

I'm trying to use access-groups in my access lists and I keep getting an error the general format is as follows

access-list acl_in permit ip host object-group bkup object-group legato

I get an error stating extra-argument(s)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
gfullage Sun, 04/13/2003 - 17:38
User Badges:
  • Cisco Employee,

Impossible for us to tell the problem without seeing how you've configured the bkup and legato object-groups.

Make sure you follow http://www.cisco.com/warp/public/707/pix_obj_grp.html and see how you go, if you're still having problems please at least show us the individual object groups you've configured and EXACTLY what error you're getting.

3msands Mon, 04/14/2003 - 03:40
User Badges:

I think I've figured it out. It appears that the pix dosen't like me using "ip" for protocol. If I define the access list using tcp or udp it is fine. Not sure why I'm seeing this behavior but at least I have a work around.

gfullage Mon, 04/14/2003 - 15:00
User Badges:
  • Cisco Employee,

If "object-group legato" is a service-type group, then you definately have to specify either tcp or udp, since that is exactly what you're telling the PIX. You can't have an access-list that includes TCP/UDP ports and then just say that's an IP access-list.


This Discussion