Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

service object-group

I want to replace the following:

access-list 101 permit tcp host eq www any

access-list 101 permit tcp host eq 443 any

I figured I could just create a service group and create the ACL.

conf t

object-group service WebServices

tcp www

tcp 443

ip access-list extended 188

permit tcp host eq WebServices ( <--problem here)

'permit tcp host eq ?' doesn't give me the option of adding a service object group. 'permit tcp host ?' only allows network object groups. And applying the service object group at 'permit ?' doesn't make sense (don't know if it's source or destination ports). When I look here: It says I should be able to put a service object group directly behind the network object group. But this isn't the case for me. 'permit tcp object-group WebServers ?' only allows network object groups. I'm running Version 12.4(24)T1 on a 7206. Anyone know how to use this properly? TIA.


Re: service object-group

Try removing the TCP keyword. Here's the line that worked for me.

access-list 188 permit object-group WebServices host any

Re: service object-group


Based on the document you provided. You want the service object group to be applied on the source addresses. Object group won't work the way you want. It's because of the service object group can be only applied on the destination. Why? If you read that document clearly. It says that the service object group is only to replace the protocol keyword in ACE. You can't use the service object group after the eq keyword. (grin)

The network object group is simply used as Src or Dest IP addresses in ACE.

The example provided by Collin is the correct syntax for permiting host to go to any IP address with WebServices. It's something like this "permit ip host any eq [www&443]"



Community Member

Re: service object-group

It still doesn't make sense to me. I want to understand why I can't issue the command 'permit tcp object-group my_network_object_group object-group

my_service_object_group any' like in the document. After the network object group I'm only allowed to issue another network object group. The syntax supplied in the document looks like I can use it the way I need to but it simply doesn't work. Here's what I see:

Router(config-ext-nacl)#permit tcp object-group WebServers ?

A.B.C.D Destination address

any Any destination host

eq Match only packets on a given port number

gt Match only packets with a greater port number

host A single destination host

lt Match only packets with a lower port number

neq Match only packets not on a given port number

object-group Destination network object group

range Match only packets in the range of port numbers

Router(config-ext-nacl)#permit tcp object-group WebServers

The document shows the next statement as 'object-group my_service_object_group' which would imply a service object group (not network object group). What gives?

CreatePlease to create content