04-03-2009 03:57 PM - edited 03-11-2019 08:14 AM
I have a possible bug when creating an Access Rule that happens sporatically.
When using a Network Object Group with 3 members as the Destination, the ACL blocks the source that I want to permit. However, when I break up the Network Object Group into 3 individual destination hosts, the ACL works fine.
Has anyone experienced this???
ASA5520 Version 8.0(4)
ASDM 6.1
Thanks much
04-09-2009 03:17 PM
To use object groups in an access list, replace the normal protocol (protocol), network (source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended] {deny |
permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group
nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]
You do not have to use object groups for all parameters; for example, you can use an object group for the source address, but identify the destination address with an address and mask.
04-09-2009 04:19 PM
Hi,
Could you post your object group and the access list used for that object group.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: