topic Having issue with ACL confuration in Network Security

Having issue with ACL confuration

Mohammad Rahman — Thu, 12 Dec 2019 20:23:44 GMT

I am having the issue with following below configuration and getting error. Please help me solve the issue.

object-group network LERAPID7_Console
network-object host 192.168.2.80

object-group network LMRAPID7_Console
network-object host 192.168.2.81

object-group network RAPID7_CONSOLE
group-object LERAPID7_Console
group-object LMRAPID7_Console

object-group service Rapid7-Management
service-object tcp destination eq 3750
service-object tcp destination eq 40814
service-object tcp destination eq https

access-list global-access extended permit tcp object-group any object-group RRAPID7_CONSOLE object-group Rapid7-Management

ERROR: specified object-group (Rapid7_Management) has wrong type; expecting service type

Re: Having issue with ACL confuration

nspasov — Fri, 13 Dec 2019 05:52:56 GMT

Hi Mohammad-

The CLI is rejecting the syntax because your object-group already specifies the protocol type (TCP) and your access-list is also calling out for the "TCP." If you already have the protocol defined your object group then you don't need it in your Access Control List Entry. The thread below explains pretty well and it includes an example that you can follow:

https://community.cisco.com/t5/firewalls/unable-to-create-acl-with-object-group-for-service-port/td-p/2716499

Thank you for rating helpful posts!

Re: Having issue with ACL confuration

Mohammad Rahman — Fri, 13 Dec 2019 15:05:02 GMT

Thank you nspasov for your quick answer. I got that solved but I changed my configuration as below. When I browse using the port number 3780, show access-list showing 0 hitting. Please help me solve this issue then I will be done with my project.

object-group network Rapid7_Server
network-group host 192.168.2.2

object-group network Outside_Host
network-group host 192.168.1.165

object-group service Rapid7_MGMT tcp
port-object eq 3780
port-object eq https
access-list global-access extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT

access-list global-access line 1 extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT (hitcnt=0) 0x80fcc2fc
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq 3780 (hitcnt=0) 0x5ff3d781
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq https (hitcnt=0) 0x5025c4b8

Re: Having issue with ACL confuration

nspasov — Sun, 15 Dec 2019 00:41:45 GMT

It is hard to tell why your ACEs are not getting any hits without knowing the test methodology that you used. A simple/quick test is to use the "packet-tracer" command. Can you run that and post the output and also check if the ACEs are getting a hit after running the command? The packet-tracer command actually generates real traffic so you should see the hit count increase.

Thank you for rating helpful posts!