https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296286#M838549 <P>I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.</P><P></P><P>However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.</P><P></P><P>In other words, it will let me do:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site</P><P></P><P>but won't let me do:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www</P><P></P><P>Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www</P><P></P><P>Of course that doesn't really do me much good.</P><P></P><P>Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?</P><P></P><P>Thanks for your assistance.</P> Mon, 11 Mar 2019 16:05:24 GMT caplinktech 2019-03-11T16:05:24Z https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296286#M838549 <P>I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.</P><P></P><P>However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.</P><P></P><P>In other words, it will let me do:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site</P><P></P><P>but won't let me do:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www</P><P></P><P>Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:</P><P></P><P>access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www</P><P></P><P>Of course that doesn't really do me much good.</P><P></P><P>Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?</P><P></P><P>Thanks for your assistance.</P> Mon, 11 Mar 2019 16:05:24 GMT https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296286#M838549 caplinktech 2019-03-11T16:05:24Z https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296287#M838550 <HTML><HEAD></HEAD><BODY><P>I tried on my box and it worked ????</P><P></P><P></P><P></P><P>######</P><P></P><P></P><P>ASA-5510-8x(config)# object-group network mynetwork</P><P>ASA-5510-8x(config-network)# net</P><P>ASA-5510-8x(config-network)# network-object host 1.1.1.1</P><P>ASA-5510-8x(config-network)# network-object host 2.2.2.2</P><P>ASA-5510-8x(config-network)#</P><P>ASA-5510-8x(config-network)#</P><P>ASA-5510-8x(config-network)# exit</P><P>ASA-5510-8x(config)#</P><P>ASA-5510-8x(config)#</P><P>ASA-5510-8x(config)#</P><P>ASA-5510-8x(config)# access-l testacl permit tcp any ob</P><P>ASA-5510-8x(config)# access-l testacl permit tcp any object-group mynetwork eq www</P><P>ASA-5510-8x(config)# sh access-l testacl</P><P>access-list testacl; 2 elements</P><P>access-list testacl line 1 extended permit tcp any object-group mynetwork eq www 0xf40a2caa</P><P> access-list testacl line 1 extended permit tcp any host 1.1.1.1 eq www (hitcnt=0) 0x11d45404</P><P> access-list testacl line 1 extended permit tcp any host 2.2.2.2 eq www (hitcnt=0) 0xf620c462</P><P></P><P></P><P>#######</P><P></P><P></P><P></P><P>hTH</P><P>sUSHIl</P><P></P></BODY></HTML> Wed, 12 Aug 2009 18:19:34 GMT https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296287#M838550 suschoud 2009-08-12T18:19:34Z https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296288#M838551 <HTML><HEAD></HEAD><BODY><P>Sloppiness from trying to do things in a hurry.</P><P></P><P>It was a capitalization error, must have typed too fast when typing the object group name and my "standards" didn't come in.</P><P></P><P>Thanks for getting me to slow down and think for a bit.</P></BODY></HTML> Wed, 12 Aug 2009 19:10:31 GMT https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296288#M838551 caplinktech 2009-08-12T19:10:31Z https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296289#M838552 <HTML><HEAD></HEAD><BODY><P>no problem....m in TAC and never saw that before...was kind of amazed by the behaviour.... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Cheers!!</P><P></P><P></P><P></P></BODY></HTML> Wed, 12 Aug 2009 19:18:13 GMT https://community.cisco.com/t5/network-security/asa5505-object-groups-in-access-list/m-p/1296289#M838552 suschoud 2009-08-12T19:18:13Z