https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906184#M437275 <HTML><HEAD></HEAD><BODY><P> Hi Adam!</P><P></P><P>You are doing it right, you are just missing on little keyword.</P><P>The line should be as this:</P><P></P><P>access-list dmz_access_in extended permit object-group Sample_Port_Group <SPAN style="text-decoration: underline;">host</SPAN> 192.168.1.1 any</P><P></P><P>or you could specify the subnetmask as:</P><P></P><P>access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 <SPAN style="text-decoration: underline;">255.255.255.255 </SPAN>any</P><P></P><P></P><P>Regards</P></BODY></HTML> Fri, 11 May 2012 06:33:56 GMT kampmalm2 2012-05-11T06:33:56Z https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906183#M437273 <P>I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:</P><P></P><P>access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any</P><P></P><P>The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.</P><P></P><P>Going off these posts: </P><P>- <A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A><SPAN> </SPAN></P><P>- <A href="http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html</A></P><P></P><P>Those posts gave me the impression my line was possible, especially the "<SPAN style="font-size: 8pt;">access-list outsideacl extended permit object-group myaclog interface inside any</SPAN>" line, which is at the end of the 2nd article linked. </P><P></P><P>What am I doing wrong?</P><P></P><P>Thanks in advance for any help.</P> Mon, 11 Mar 2019 23:05:22 GMT https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906183#M437273 Adam Hudson 2019-03-11T23:05:22Z https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906184#M437275 <HTML><HEAD></HEAD><BODY><P> Hi Adam!</P><P></P><P>You are doing it right, you are just missing on little keyword.</P><P>The line should be as this:</P><P></P><P>access-list dmz_access_in extended permit object-group Sample_Port_Group <SPAN style="text-decoration: underline;">host</SPAN> 192.168.1.1 any</P><P></P><P>or you could specify the subnetmask as:</P><P></P><P>access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 <SPAN style="text-decoration: underline;">255.255.255.255 </SPAN>any</P><P></P><P></P><P>Regards</P></BODY></HTML> Fri, 11 May 2012 06:33:56 GMT https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906184#M437275 kampmalm2 2012-05-11T06:33:56Z https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906185#M437276 <HTML><HEAD></HEAD><BODY><P>That was simple, thanks for another pair of eyes to take a look at it!</P></BODY></HTML> Thu, 17 May 2012 19:14:17 GMT https://community.cisco.com/t5/network-security/asa-5510-object-groups/m-p/1906185#M437276 Adam Hudson 2012-05-17T19:14:17Z