https://community.cisco.com/t5/network-security/asa-not-taking-an-access-list-command/m-p/1584075#M593780 <P>Hi experts,</P><P></P><P>Here are my relevant configs on the ASA 5510 running 8.3(2)</P><P></P><P><SPAN style="color: #0000ff;">object network Obj_ABC_ICS<BR /> host 192.168.55.11<BR />!</SPAN></P><P><SPAN style="color: #0000ff;">object-group network ObjGrp_ABC_IP<BR /> network-object host 1.2.3.4<BR />object-group service ObjGrp_ABC_Ports<BR /> service-object tcp destination eq 3389<BR /> service-object tcp destination eq www<BR /> service-object tcp destination eq https<BR />!</SPAN></P><P><BR />Then I try to create an ACL with the following command I got the error:</P><P></P><P><SPAN style="color: #0000ff;">access-list ACL_test extended permit tcp object-group ObjGrp_ABC_IP object Obj_ABC_ICS object-group ObjGrp_ABC_Ports</SPAN></P><P></P><P><SPAN style="color: #ff0000;">ERROR: specified object group &lt;ObjGrp_ABC_Ports&gt; has wrong type; expecting service type</SPAN></P><P>...</P><P></P><P>It's indeed the service type!!!</P><P></P><P>What did I do wrong? I also saw the "protocol" type object-group. What's the difference between "service" type and "protocol" type?</P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 19:37:23 GMT Difan Zhao 2019-03-11T19:37:23Z https://community.cisco.com/t5/network-security/asa-not-taking-an-access-list-command/m-p/1584075#M593780 <P>Hi experts,</P><P></P><P>Here are my relevant configs on the ASA 5510 running 8.3(2)</P><P></P><P><SPAN style="color: #0000ff;">object network Obj_ABC_ICS<BR /> host 192.168.55.11<BR />!</SPAN></P><P><SPAN style="color: #0000ff;">object-group network ObjGrp_ABC_IP<BR /> network-object host 1.2.3.4<BR />object-group service ObjGrp_ABC_Ports<BR /> service-object tcp destination eq 3389<BR /> service-object tcp destination eq www<BR /> service-object tcp destination eq https<BR />!</SPAN></P><P><BR />Then I try to create an ACL with the following command I got the error:</P><P></P><P><SPAN style="color: #0000ff;">access-list ACL_test extended permit tcp object-group ObjGrp_ABC_IP object Obj_ABC_ICS object-group ObjGrp_ABC_Ports</SPAN></P><P></P><P><SPAN style="color: #ff0000;">ERROR: specified object group &lt;ObjGrp_ABC_Ports&gt; has wrong type; expecting service type</SPAN></P><P>...</P><P></P><P>It's indeed the service type!!!</P><P></P><P>What did I do wrong? I also saw the "protocol" type object-group. What's the difference between "service" type and "protocol" type?</P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 19:37:23 GMT https://community.cisco.com/t5/network-security/asa-not-taking-an-access-list-command/m-p/1584075#M593780 Difan Zhao 2019-03-11T19:37:23Z https://community.cisco.com/t5/network-security/asa-not-taking-an-access-list-command/m-p/1584076#M593781 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You are using enhanced object groups. Please&nbsp; try the following:</P><P></P><P><SPAN style="color: #0000ff;">access-list&nbsp; ACL_test extended&nbsp; permit </SPAN><SPAN style="color: #0000ff;">object-group&nbsp; ObjGrp_ABC_Ports </SPAN><SPAN style="color: #0000ff;">object-group&nbsp; ObjGrp_ABC_IP object Obj_ABC_ICS </SPAN></P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv</A></P><P></P><P>Hope&nbsp; this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Wed, 19 Jan 2011 16:15:08 GMT https://community.cisco.com/t5/network-security/asa-not-taking-an-access-list-command/m-p/1584076#M593781 Nagaraja Thanthry 2011-01-19T16:15:08Z