Hi,

The version he posted also works.

The "object-group" he uses specifies both protocol and port.

Example from my firewall

access-list outbound_access line 1 extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub (hitcnt=0) 0x7c4d1265

  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq https (hitcnt=0) 0x18a14951

  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.62.142.12 eq https (hitcnt=0) 0x127ea116

  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.62.142.2 eq https (hitcnt=0) 0x842644a4

  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 74.50.51.16 eq https (hitcnt=0) 0x1aba7005

- Jouni

Interesting.  Everytime I have tried it the way he mentions, I have never gotten it to work.  The ASA takes the commands but the ACL is never matched.  I see you have 0 hits on the ACL... have you tried generating traffic to see if it is matched?

Hi,

Seems to work on my test ASA

Attached it to my current LAN interface.

ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         WAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outbound_access in interface LAN

access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub

object-group service obj_Meraki_outbound

service-object tcp destination eq https

service-object tcp destination eq www

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

object-group network obj_Meraki_lan

network-object 10.2.11.0 255.255.255.240

network-object 10.5.11.0 255.255.255.240

object-group network obj_Meraki_pub

description: This group lists all hosts associated with Meraki.

network-object host 64.156.192.154

network-object host 64.62.142.12

network-object host 64.62.142.2

network-object host 74.50.51.16

network-object host 74.50.56.218

Additional Information:

access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691

Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.

- Jouni

Thanks Guys

Yeah i was wondering about specifying type of protocol but as you see my object-group has both TCP and UDP.  But it looks like you have addressed that as well.

Im going to give this a shot.  I will post back with results.

One other question.  These ACLs are for outbound traffic to internet and just want to make sure that I should place the ACL on the inside interface.  Is this correct?

Hi,

Usually you will have INBOUND ACL on each interface controlling traffic.

So if we take a simple example with interfaces "inside" , "dmz" and "outside" then we would usually configure an ACL for each interface and attached it with the "access-group" command in the direction "in" to the interface.

These ACLs will essentially control traffic entering that interface from networks that are located behind that interface. So for example "inside" interfaces ACL in this case would control traffc heading from "inside" towards any other interface (and the networks behind it) on the firewall.

In the same way an ACL attached to the "outside" interface in the direction "in" will control all traffic coming from the external network towards your local networks.

So yes, you should control traffic bound to Internet on the LAN/DMZ interfaces with an ACL attached to the direction "in".

- Jouni

So I tried the above

access-list outbound_access extended permit object-group Protocols object-group obj_Meraki_lan object-group obj_Meraki_pub object-group obj_Meraki_outbound

object-group protocol Protocols

protocol-object TCP

protocol-object UDP

It is still barking at me.  Says ob_Meraki_oubound is not a service type which of course it is.   I am looking at other examples of ACLs when using enhanced object groups and it seems the service-objects do not go at the end like normal.  See this https://supportforums.cisco.com/thread/2063088   When ever i see object-groups being used for service object is goes right after permit protocol type is not required.

This format worked.  At least the ASA accepted the acl.

access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub.

I wonder why they change the complete structure of the ACL when you use service objects.  AHHG

Hi Jason,

Change the obj_Meraki_outbound object to the following and try again please. (notice the TCP-UDP keyword at the end of the object-group statement)

object-group service obj_Meraki_outbound tcp-udp

service-object tcp destination eq https

service-object tcp destination eq www

service-object tcp destination eq 7734

service-object tcp destination eq 7752

service-object udp destination eq 7351

access-list outbound_access extended permit object-group PROTOCOLS  object-group obj_Meraki_lan object-group  obj_Meraki_pub object-group  obj_Meraki_outbound

You can't define a protocol on the object-group and then use service-object entries; if you want to define tcp-udp you will have to use port-object instead of service-object.

Example:

object-group service obj_Meraki_outbound tcp-udp

port-object eq https

port-object eq www

port-object eq 7734

port-object eq 7752

port-object eq 7351

Jesse, funny how your contribution helped me solve my problem which is slightly different from Jason's problem.

The problem I had was not being able to go beyond:

ASA(config)# access-list problem extended permit object-group services ?

configure mode commands/options:
<cr>
ASA(config)# access-list problem extended permit object-group services

Your message made me look again at my service object group configuration:

object-group service services tcp
port-object range 3000 3500
port-object range 10000 10500

I went ahead to reconfigure it like so:

object-group service services
service-object tcp destination range 3000 3500
service-object tcp destination range 10000 10500

Straight away, I was able to complete the access-list command and apply it.

ASA(config)# access-list problem extended permit object-group services object-group ip1 object-group ip2
ASA(config)#

Thanks guys!

You're welcome.  I'm glad it helped to resolve your problem.