Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5505 Object Groups in Access-List

I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.

However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.

In other words, it will let me do:

access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site

but won't let me do:

access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www

Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:

access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www

Of course that doesn't really do me much good.

Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?

Thanks for your assistance.

3 REPLIES
Cisco Employee

Re: ASA5505 Object Groups in Access-List

I tried on my box and it worked ????

######

ASA-5510-8x(config)# object-group network mynetwork

ASA-5510-8x(config-network)# net

ASA-5510-8x(config-network)# network-object host 1.1.1.1

ASA-5510-8x(config-network)# network-object host 2.2.2.2

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)#

ASA-5510-8x(config-network)# exit

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)#

ASA-5510-8x(config)# access-l testacl permit tcp any ob

ASA-5510-8x(config)# access-l testacl permit tcp any object-group mynetwork eq www

ASA-5510-8x(config)# sh access-l testacl

access-list testacl; 2 elements

access-list testacl line 1 extended permit tcp any object-group mynetwork eq www 0xf40a2caa

access-list testacl line 1 extended permit tcp any host 1.1.1.1 eq www (hitcnt=0) 0x11d45404

access-list testacl line 1 extended permit tcp any host 2.2.2.2 eq www (hitcnt=0) 0xf620c462

#######

hTH

sUSHIl

New Member

Re: ASA5505 Object Groups in Access-List

Sloppiness from trying to do things in a hurry.

It was a capitalization error, must have typed too fast when typing the object group name and my "standards" didn't come in.

Thanks for getting me to slow down and think for a bit.

Cisco Employee

Re: ASA5505 Object Groups in Access-List

no problem....m in TAC and never saw that before...was kind of amazed by the behaviour.... :)

Cheers!!

784
Views
0
Helpful
3
Replies
CreatePlease to create content