Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

FWSM Strange behavior on access-list

Hi,

I have a strange problem where an object-group was created and applied to an access-list as below on line 12. An access from 10.10.214.0/24 to 203.1.254.23 failed to work eventhough the access-list permits it. Entering line 13 below (a repeat of 10.10.214.0/24) works fine.

access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23 0x5e808afd

access-list acl_test line 12 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846

access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0xd1686d86

access-list acl_test line 12 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

Since it doesn't work, line 12 was removed from acl_test

no access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23

After line 12 above was removed, line 13 on acl_test above failed to work.

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

Since access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23

failed to work I have re-entered

access-list acl_test permit ip object-group test_g2 host 203.1.254.23 (as below)

and it works again with the access-list on line 13 being hit (see below)

access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

access-list acl_test line 13 extended permit ip object-group upr_g2 host 203.1.254.23 0x5e808afd

access-list acl_test line 13 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=1) 0xd1686d86

access-list acl_test line 13 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739

How can the problem above be rectified? Will removing and re-entering the statement below work?

nat (inside) 1 access-list acl_test

TIA.

PF

2 REPLIES
Silver

Re: FWSM Strange behavior on access-list

Such problem usually happen when FWSM is running in multi context mode with multiple vlans in same context. Check if running in multi context is not causing the problem.

New Member

Re: FWSM Strange behavior on access-list

Amritpatek,

Multi context is not activated. It is running as a single firewall with multiple interfaces/vlans.

Thanks.

PF

145
Views
0
Helpful
2
Replies
CreatePlease to create content