cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
1
Replies

nat policy failed if you use object-group in access-list

GerardT
Level 1
Level 1

hey guys, anybody know about any issues with policy and access-list object-group?

I tried to make this config and pix returned an error:

the config was this:

object-group network 202_1_15_15

network-object 10.0.0.0 255.255.248.0

network-object 10.1.102.0 255.255.255.0

network-object 10.2.0.0 255.255.192.0

network-object 10.2.64.0 255.255.192.0

network-object 10.2.192.0 255.255.192.0

network-object 10.3.47.0 255.255.255.0

network-object 10.3.247.0 255.255.255.0

network-object 10.3.251.0 255.255.255.0

network-object 10.5.0.0 255.255.240.0

network-object 10.5.16.0 255.255.252.0

access-list nat_outside1 permit ip object-group 202_1_15_15 any

nat (inside) 1515 acccess-list nat_outside1

global (outside) 1515 202.1.1.15

When i applied the nat command this error was displayed:

ERROR: Invalid ip address <access-list>

The Pix version is 6.3.3

I tried this over ASA, and the config was permit without problem.

Let me know any input.

regards.

Gerard

1 Reply 1

mjsully
Level 1
Level 1

Is that the actual config copied and pasted into your post, because you have 3 "c's" in the word access-list in your nat statement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: