Re: ASDM bug with network object groups??

chendav11 · ‎04-03-2009

I have a possible bug when creating an Access Rule that happens sporatically.

When using a Network Object Group with 3 members as the Destination, the ACL blocks the source that I want to permit. However, when I break up the Network Object Group into 3 individual destination hosts, the ACL works fine.

Has anyone experienced this???

ASA5520 Version 8.0(4)

ASDM 6.1

Thanks much

ivillegas · ‎04-09-2009

To use object groups in an access list, replace the normal protocol (protocol), network (source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id parameter.

For example, to use object groups for all available parameters in the access-list {tcp | udp} command, enter the following command:

hostname(config)# access-list access_list_name [line line_number] [extended] {deny |

permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group

nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]

[inactive | time-range time_range_name]

You do not have to use object groups for all parameters; for example, you can use an object group for the source address, but identify the destination address with an address and mask.

roshan.maskey · ‎04-09-2009

Hi,

Could you post your object group and the access list used for that object group.