cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3614
Views
0
Helpful
14
Replies

ASA5505 got Network objects group and network objects problem

danielchau
Level 1
Level 1

Hi,

 

My ASA5505 start acts strangely in the ASDM. When i starts create Network objects and Network objects group, it often failed -

Actually what i am trying to do is to deny connection  to/from Adverstment servers, it is supposed to an easy task to do.

This is the error message from the asdm when i edit the network object group:

 

[OK] object network ADS.ds.serving-sys.com
      object network ADS.ds.serving-sys.com
[OK] fqdn v4 ds.serving-sys.com
[OK] description ds.serving-sys.com
[OK] object-group network ADS_BLOCK
      object-group network ADS_BLOCK
[ERROR] network-object object ADS.b.voicefive.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister b.voicefive.com lookup service (10)

[ERROR] network-object object ADS.cmh.hk.overture.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister cmh.hk.overture.com lookup service (10)

[ERROR] network-object object ADS.ds.serving-sys.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister ds.serving-sys.com lookup service (10)

[ERROR] network-object object ADS.i.l.networld.hk
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister i.l.networld.hk lookup service (10)

[ERROR] network-object object ADS.pagead2.googlesyndication.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister pagead2.googlesyndication.com lookup service (10)

[ERROR] network-object object ADS.pubads.g.doubleclick.net
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister pubads.g.doubleclick.net lookup service (10)

[ERROR] network-object object ADS.s3-ap-southeast-1.amazonaws.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister s3-ap-southeast-1.amazonaws.com lookup service (10)

[ERROR] network-object object ADS.servedby.adsfactor.net
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister servedby.adsfactor.net lookup service (10)

 

My ASA5505 is running ASA9.2, ASDM 7.2.1 . How can i solve this problem? My ACL of this network-group also disappear after i created it with the network group object again and again. It just doesn't work now.

 

Thanks

 

Daniel

14 Replies 14

If you enable preview commands under preferences before deploying, review the commands to see if there might be some issues with the commands the ASDM is trying to deploy.

Have you tried to add the object groups and ACLs using the CLI.  Has this been successful?

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for the suggestion - I have enabled the option you mentioned.

 

I can see it is trying to do:

 object-group network ADS_BLOCK
        network-object object ADS.b.voicefive.com
        network-object object ADS.cmh.hk.overture.com

 

Then it came back:

[OK] object-group network ADS_BLOCK
      object-group network ADS_BLOCK
[ERROR] network-object object ADS.b.voicefive.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister b.voicefive.com lookup service (10)

[ERROR] network-object object ADS.cmh.hk.overture.com
    Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister cmh.hk.overture.com lookup service (10)

 

I don't know what is going on, any suggestion can debug this are welcome and i will try to do the suggestion as i can.

 

Thank you!

 

Daniel

Have you tried adding the commands manually in the CLI? if not, could you try a couple object-groups to see if you get an error there also?

If you do not get an error there then I think this could be an issue with ASDM version and would suggest downgrading (if you absolutely have to do this in ASDM). If you get an error when entering the commands in CLI then it would seem that there is an issue with the configuration...perhaps naming convention(?), in any case we would need to see more of your configuration to help you further in this case.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

I found another problem.

 

I see what ASDM is doing:

 access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK  log disable

then write mem

The asdm will actualy list this acl for a moment.

No problem.

But in the actual runnning config, i cannot see anything actually is related to this.

And interestingly , after write mem and checked running config from CLI, i run asdm again, and, acl disappear.

 

So, seems this  access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK  log disable no use at all.

btw, i used command created this newly ADS1_BLOCK group , no problem at the moment.

 

AS i am not very familiar CLI, would you suggest is there another  way to rewrite this

 

 access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK  log disable

? i suspected this command messed up things in my ASA.

 

Thanks

Daniel

 

I don't see how that ACL entry would mess things up as it is disabled.  But there really isn't any other way of writing it, other than creating separate entries for all the objects in the ADS1_BLOCK group.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

I tried this:

 

access-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable

 

as i found in the running config.

I typed this in CLI

 

asa(config)# aaccess-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable
asa(config)# write
Building configuration...
Cryptochecksum: 793b2277 64859db5 0966c319 439447e6

28366 bytes copied in 1.420 secs (28366 bytes/sec)
[OK]
asa(config)#

But i run sh run i cannot find this entry in my running config.

 

My running config have this:

access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable

 

I really don't know what is going on, no complain in CLI, can write to mem but just not exist in the running config

Any suggestion?

Should i downgrade ASA?

 

Thanks

 

Daniel

Could you post the configuration output for ADS1_BLOCK please?

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

I post my running config here - hope you can give me any suggestion.

asa# sh run
: Saved
:
: Serial Number:
: Hardware:   ASA5505, 1024 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(1)
!
hostname asa
enable password  encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

multicast-routing
names
name 10.71.0.50 my-host
ip local pool vpn-pool 10.71.1.230-10.71.1.254 mask 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!             
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private-interface
 nameif inside
 security-level 100
 ip address 10.71.0.1 255.255.255.0
!             
interface Vlan2
 description Public-interface
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa921-k8.bin
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.71.0.224
 subnet 10.71.0.224 255.255.255.224
object network my-host
 host 10.71.0.50
object service obj-tcp-source-eq-57706
 service tcp source eq 57706
object service obj-tcp-source-eq-7777
 service tcp source eq 7777
object network obj-10.71.0.0
 subnet 10.71.0.0 255.255.0.0
object network NETWORK_OBJ_10.71.0.224_27
 subnet 10.71.0.224 255.255.255.224
object service obj-tcp-source-eq-80
 service tcp source eq www
object network vpnpool
 range 10.71.1.230 10.71.1.254
 description vpnpool
object service obj-tcp-source-eq-443
 service tcp source eq https
object service 1443
 service tcp destination eq 1443
object network block-NEOTEL
 range 41.160.0.0 41.175.255.255
 description 255.255.0.0
object network block-190.123.0.0
 range 190.123.0.0 190.123.255.255
object network block-level3
 range 4.26.0.0 4.26.255.255
object network block-110.164.191.179
 range 110.164.0.0 110.164.255.255
object network block-87.106.0.0_16
 range 87.106.0.0 87.106.255.255
object network block-80.86.80.0_16
 range 80.86.80.0 80.86.84.255
object network ADS.bdaz.adsfactor.net
 fqdn v4 bdaz.adsfactor.net
 description bdaz.adsfactor.net
object network ADS.googleads.g.doubleclick.net
 fqdn v4 googleads.g.doubleclick.net
 description googleads.g.doubleclick.net
object network ADS.i.l.networld.hk
 fqdn v4 i.l.networld.hk
 description i.l.networld.hk
object network ADS.servedby.adsfactor.net
 fqdn v4 servedby.adsfactor.net
 description servedby.adsfactor.net
object network ADS.pagead2.googlesyndication.com
 fqdn v4 pagead2.googlesyndication.com
 description pagead2.googlesyndication.com
object network ADS.s3-ap-southeast-1.amazonaws.com
 fqdn v4 s3-ap-southeast-1.amazonaws.com
 description s3-ap-southeast-1.amazonaws.com
object network ADS.cmh.hk.overture.com
 fqdn v4 cmh.hk.overture.com
 description cmh.hk.overture.com
object network ADS.pubads.g.doubleclick.net
 fqdn v4 pubads.g.doubleclick.net
 description pubads.g.doubleclick.net
object network ADS.ds.serving-sys.com
 fqdn v4 ds.serving-sys.com
 description ds.serving-sys.com
object network ADS.b.voicefive.com
 fqdn b.voicefive.com
object network ADS1.test.abc.com
 fqdn test.abc.com
object-group network ADS_BLOCK
 network-object object ADS.bdaz.adsfactor.net
 network-object object ADS.googleads.g.doubleclick.net
object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
 port-object eq isakmp
 port-object eq 4500
 port-object eq snmp
 port-object eq snmptrap
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
 port-object eq 57706
object-group icmp-type ICMP-Service-Group
 description ICMP Service Group
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group service Monitor-remote-tcp tcp
 description Monitor-remote-tcp
 port-object eq 5938
 port-object eq 7777
object-group network DMZ_Group
 network-object 10.80.0.0 255.255.0.0
object-group network wp-block
 network-object object block-NEOTEL
 network-object object block-190.123.0.0
 network-object object block-level3
 network-object object block-110.164.191.179
 network-object object block-87.106.0.0_16
 network-object object block-80.86.80.0_16
object-group service DM_INLINE_SERVICE_3
 service-object object obj-tcp-source-eq-443
 service-object object obj-tcp-source-eq-57706
 service-object object obj-tcp-source-eq-7777
 service-object object obj-tcp-source-eq-80
object-group network ADS1_BLOCK
 network-object object ADS1.test.abc.com
 network-object object ADS.b.voicefive.com
 network-object object ADS.bdaz.adsfactor.net
 network-object object ADS.cmh.hk.overture.com
 network-object object ADS.ds.serving-sys.com
 network-object object ADS.googleads.g.doubleclick.net
 network-object object ADS.i.l.networld.hk
 network-object object ADS.pagead2.googlesyndication.com
 network-object object ADS.pubads.g.doubleclick.net
 network-object object ADS.s3-ap-southeast-1.amazonaws.com
 network-object object ADS.servedby.adsfactor.net
object-group-search access-control
access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any4
access-list inside-in extended deny ip any 202.128.224.0 255.255.224.0 log alerts
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended deny tcp any 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended deny tcp object-group wp-block object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny object-group DM_INLINE_SERVICE_3 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny tcp 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list outside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list outside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_nat0_outbound extended permit ip any4 10.71.0.224 255.255.255.224
access-list split-tunnel standard permit 10.71.0.0 255.255.255.0
access-list DMZ_access_in extended permit tcp any any object-group Internet-tcp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit udp any any object-group Internet-udp
access-list DMZ_access_in extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended permit tcp any any object-group Internet-tcp
access-list global_access extended permit udp any any object-group Internet-udp
access-list global_access extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended deny ip 202.128.224.0 255.255.224.0 object my-host log alerts
access-list global_access extended deny ip object my-host 202.128.224.0 255.255.224.0 log alerts
pager lines 24
logging enable
logging timestamp
logging list filter level warnings
logging buffer-size 999999
logging buffered filter
logging asdm informational
logging flash-bufferwrap
logging flash-minimum-free 30760
logging flash-maximum-allocation 30240
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-57706 obj-tcp-source-eq-57706
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-7777 obj-tcp-source-eq-7777
nat (inside,outside) source dynamic obj-10.71.0.0 interface
nat (inside,outside) source static any any destination static obj-10.71.0.0 obj-10.71.0.0 no-proxy-arp route-lookup
!
object network obj-10.71.0.0
 nat (inside,outside) dynamic interface
!
nat (any,outside) after-auto source static vpnpool vpnpool
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=my-asa
 crl configure
crypto ca trustpool policy
crypto ca certificate map DefaultCertificateMap 10

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 21 20 19 24 14 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2    
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpnclient server 1.2.3.4
vpnclient mode client-mode
vpnclient vpngroup vpn password *****
dhcpd lease 1048575
!
dhcpd address my-host-10.71.0.128 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
ntp authenticate
ntp server 118.143.17.82 prefer
ssl encryption 3des-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
 port 8443
 enable inside
 enable outside
 character-encoding unicode
 anyconnect-essentials
 csd image disk0:/csd_3.6.6210-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 2 regex "Linux"
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 regex "Intel Mac OS X"
 anyconnect profiles vpn disk0:/vpn.xml
 anyconnect enable
 tunnel-group-list enable

 mus password *****
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 8.8.8.8 8.8.4.4
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:793b227764859db50966c319439447e6
: end

 

is this a typo or copy error...? (two a's in access)

aaccess-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable

If it is a typo, I do not have a good explanation as to why it is not showing up in the running configuration.  I plugged you config into my ASA and got no error and see the entry when I issue show run access-list.

Try removing the ADS1_BLOCK group and the ACL, refresh ASDM and make sure the commands are not present in the ASDM or CLI, then re-add the commands using the CLI only and see if the command is now present.

no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable

no object-group network ADS1_BLOCK

refresh ASDM and check that configs are gone.

object-group network ADS1_BLOCK
 network-object object ADS1.test.abc.com
 network-object object ADS.b.voicefive.com
 network-object object ADS.bdaz.adsfactor.net
 network-object object ADS.cmh.hk.overture.com
 network-object object ADS.ds.serving-sys.com
 network-object object ADS.googleads.g.doubleclick.net
 network-object object ADS.i.l.networld.hk
 network-object object ADS.pagead2.googlesyndication.com
 network-object object ADS.pubads.g.doubleclick.net
 network-object object ADS.s3-ap-southeast-1.amazonaws.com
 network-object object ADS.servedby.adsfactor.net

access-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable

If that doesn't work then perhaps it is best to contact TAC, if you have a support contract with Cisco.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

Hi

 

I am geeting into a loop...

 

asa(config)# no object network ADS.googleads.g.doubleclick.net
ERROR: unable to delete object (ADS.googleads.g.doubleclick.net). object is being used.

 

asa(config)# no object-group network ADS1_BLOCK
Removing object-group (ADS1_BLOCK) not allowed, it is being used.

Any idea how to solve ???

It is driving me crazy .....-_-"

Thanks

 

Daniel

You need to remove the access-list first.

no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable

Enter this command even though the ACL is not visible in the running configuration.  You might want to try the following command to see if the access-list shows up there: show run all and more system:running-config

After you have removed the access-list remove the object-group:

no object-group network ADS1_BLOCK

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

yeah, all the ADS are not resolving to anything, since they don't resolve you are getting this error.

 

C:\Users\jumora>nslookup ADS.cmh.hk.overture.com
Server:  UnKnown
Address:  10.198.4.30

*** UnKnown can't find ADS.cmh.hk.overture.com: Non-existent domain

C:\Users\jumora>nslookup ADS.googleads.g.doubleclick.net
Server:  UnKnown
Address:  10.198.4.30

*** UnKnown can't find ADS.googleads.g.doubleclick.net: Non-existent domain

Value our effort and rate the assistance!

HI jumora,

 

But i don't know if a object name will also used to resolve - -_-"

In the running config:

object network ADS.pagead2.googlesyndication.com
 fqdn v4 pagead2.googlesyndication.com
 description pagead2.googlesyndication.com

In fqdn i defined the proper domain name...

Anyway , do you have suggestion of how can i remove this troubleshome network-groups and network objects?i am running in a loop....thanks

 

Daniel

 

I put ADS.(domain name) is just for easy for me to classify they are ads server

 

thanks - seems no use. Even i run show run all and more system:running-config still cannot see the access-list with ADS1_block

And this is what i have tried:

asa# conf t
asa(config)# no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK  log disable
Specified access-list does not exist
asa(config)# no  access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK  log disable
Specified access-list does not exist at that line
asa(config)# show run access-list
access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any4
access-list inside-in extended deny ip any 202.128.224.0 255.255.224.0 log alerts
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended deny tcp any 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended deny tcp object-group wp-block object pigpigpig-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny object-group DM_INLINE_SERVICE_3 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny tcp 202.128.224.0 255.255.224.0 object pigpigpig-host log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list outside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list outside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_nat0_outbound extended permit ip any4 10.71.0.224 255.255.255.224
access-list split-tunnel standard permit 10.71.0.0 255.255.255.0
access-list DMZ_access_in extended permit tcp any any object-group Internet-tcp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit udp any any object-group Internet-udp
access-list DMZ_access_in extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended permit tcp any any object-group Internet-tcp
access-list global_access extended permit udp any any object-group Internet-udp
access-list global_access extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended deny ip 202.128.224.0 255.255.224.0 object pigpigpig-host log alerts
access-list global_access extended deny ip object my-host 202.128.224.0 255.255.224.0 log alerts

asa(config)#
asa(config)# no object-group network ADS1_BLOCK
Removing object-group (ADS1_BLOCK) not allowed, it is being used.
asa(config)# show run object-group network ADS1_BLOCK
                                           ^
ERROR: % Invalid input detected at '^' marker.
asa(config)# show run object-group                   
object-group network ADS1_BLOCK
 network-object object ADS.b.voicefive.com

asa(config)#
asa(config)# no network-object object ADS.b.voicefive.com
                 ^
ERROR: % Invalid input detected at '^' marker.
asa(config)# object-group network ADS1_BLOCK
asa(config-network-object-group)# no network-object object ADS.b.voicefive.com
Removing obj from object-group not allowed;
object-group (ADS1_BLOCK),  being used in access-list or threat-detection or NAT, would become empty
asa(config-network-object-group)#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: