03-31-2006 11:23 PM
I am attempting to create object-group to make the management of the access list easier. I am planning on using network, protocol, services and icmp-type.
Here is one of the object containers:
object-group protocol tunnel-protocol
description Protocols allowed across VPN Tunnel to Tiffany
Protocol-object ip
Protocol-object udp
Protocol-object tcp
Protocol-object icmp
object-group service tunnel-service
description Services allowed across VPN Tunnel to Tiffany
port-object eq ssh
port-object eq www
port-object eq https
port-object eq 3690
port-object eq 3306
object-group network vpn_philippines
description Networks allowed for VPN Tunnel Philippines Side
network-object host 203.82.38.76
network-object host 203.82.38.77
network-object host 203.82.38.78
exi
object-group network vpn_tiffany
description Networks allowed for VPN Tunnel Tiffany Side
network-object host 70.169.128.236
network-object host 70.169.128.237
network-object host 70.169.128.238
exi
My concern is applying these and if they are configured correctly
04-01-2006 11:42 PM
hello
Your object groups look fine but I think your going a little over board using the protocl group. Usually people use one group for ip addys/networks and maybe a services group in a rule.
From what I see your going to use this for vpn matching or for the access-list inside.
Don't get to over zealous with your groups if there is no need.
Patrick
04-02-2006 05:38 PM
Thanks for the help. I will remove the protocols and enter one line in the acl for each.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide