Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ip access object groups not working

Hello all,

I have a Cisco 2901 router running 15.3 (M3) that I am trying to setup a basic firewall on.  I want to remote console into computers from only certain IP addresses.   I've created the objects and rules below and applied  then to the subinterface, but when I do that it cuts off all data from the subinterface.  There are a lot more rules, but I just cut it down so I can figure out where I went wrong.  Basiclly, I want anyone on the 192.168 subnet to be able to VNC, or RDP into a machine on the 10.100 network.  I'm hoping someone can point out where I went wrong.   Thanks in advance.


object-group network GG-Internal

object-group network GG-CDE

object-group service RemoteConsole
 tcp eq 3389
 tcp eq 5900
 tcp eq 5902

ip access-list extended CDE-IN-V1
 permit object-group RemoteConsole object-group GG-CDE object-group GG-Internal

ip access-list extended CDE-OUT-V1
 permit object-group RemoteConsole object-group GG-Internal object-group GG-CDE

interface GigabitEthernet0/0.5
 encapsulation dot1Q 5
 ip address
 ip policy route-map clear-df
 service-policy input INGRESS_MARKING
 ip access-group CDE-IN-V1 in
 ip access-group CDE-OUT-V1 out

Everyone's tags (1)
New Member

Hi,Try the following


Try the following configuration:

ip access-list extended CDE-IN-V1
 permit tcp  object-group GG-CDE object-group RemoteConsole object-group GG-Internal

// from servers tcp ports vnc/rdp to clients

ip access-list extended CDE-OUT-V1
 permit tcp  object-group GG-Internal object-group GG-CDE object-group RemoteConsole

//from clients to servers on tcp ports rdp/vnc


I hope this will help.

Best Regards,


Pedro Lereno

CreatePlease login to create content