cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1206
Views
0
Helpful
3
Replies

ASA5505 Object Groups in Access-List

caplinktech
Level 1
Level 1

I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.

However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.

In other words, it will let me do:

access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site

but won't let me do:

access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www

Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:

access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www

Of course that doesn't really do me much good.

Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?

Thanks for your assistance.

3 Replies 3

suschoud
Cisco Employee
Cisco Employee

I tried on my box and it worked ????

######

ASA-5510-8x(config)# object-group network mynetwork

ASA-5510-8x(config-network)# net

ASA-5510-8x(config-network)# network-object host 1.1.1.1

ASA-5510-8x(config-network)# network-object host 2.2.2.2

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)# exit

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)# access-l testacl permit tcp any ob

ASA-5510-8x(config)# access-l testacl permit tcp any object-group mynetwork eq www

ASA-5510-8x(config)# sh access-l testacl

access-list testacl; 2 elements

access-list testacl line 1 extended permit tcp any object-group mynetwork eq www 0xf40a2caa

access-list testacl line 1 extended permit tcp any host 1.1.1.1 eq www (hitcnt=0) 0x11d45404

access-list testacl line 1 extended permit tcp any host 2.2.2.2 eq www (hitcnt=0) 0xf620c462

#######

hTH

sUSHIl

Sloppiness from trying to do things in a hurry.

It was a capitalization error, must have typed too fast when typing the object group name and my "standards" didn't come in.

Thanks for getting me to slow down and think for a bit.

no problem....m in TAC and never saw that before...was kind of amazed by the behaviour.... :)

Cheers!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: