Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

host syntax in access-list results in error

Hi I have the follwing configuration (only relevant part displayed) in an Cisco ASA 5525

...

ASA Version 9.1(2) <context>

...

names

..

name xxx.xxx.xxx.xxx dmz_local_site_to_site_outside

name yyy.yyy.yyy.yyy dmz_remote_site_to_site_outside

...

Now any of the following commands:

access-list outside_access_in extended permit ah host dmz_remote_site_to_site_outside host  dmz_local_site_to_site_outside

access-list outside_access_in extended permit esp host dmz_remote_site_to_site_outside host dmz_local_site_to_site_outside

access-list outside_access_in extended permit tcp host dmz_remote_site_to_site_outside host dmz_local_site_to_site_outside object-group vpn_ports_tcp

access-list outside_access_in extended permit udp host dmz_remote_site_to_site_outside host dmz_local_site_to_site_outside object-group vpn_ports_udp

Gives me the following error (always at the source host name):

ERROR: % Invalid input detected at '^' marker.

If I put the hosts in a group like this:

...

object-group network site_to_site_local

description local site to site address

network-object host dmz_local_site_to_site_outside

object-group network site_to_site_remote

description remote site to site address

network-object host dmz_remote_site_to_site_outside

...

access-list outside_access_in extended permit ah object-group site_to_site_remote object-group site_to_site_local

access-list outside_access_in extended permit esp object-group site_to_site_remote object-group site_to_site_local

access-list outside_access_in extended permit tcp object-group site_to_site_remote object-group site_to_site_local object-group vpn_ports_tcp

access-list outside_access_in extended permit udp object-group site_to_site_remote object-group site_to_site_local object-group vpn_ports_udp

there is no problem

This seems like a plausible woraround but I am very puzzled why the host-host syntax did work in our old PIX515, should work in de ASA5525 (as far as I understand) but does not.

Any suggestions would greatly be appreciated.

Rob

Everyone's tags (3)
530
Views
0
Helpful
0
Replies
CreatePlease to create content