cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
4
Replies

ASA5505 9.2 Can't create ACL with service-object and network-objects

david.kiernan
Level 1
Level 1

ASA 5505 with 9.2(4)

I am unable to get past the service object-group in an ACE.

(the object group contains only 1 element now, but may be expanded, hence a "group of 1").

Notice below that the inline help doesn't offer anything other than <cr> after specifying the service-object.

If I forge ahead and enter the rest of a valid line, it gives an error and does not accept it.

There are no other ACE's in the ACL yet, this is to be the first ACE.

If I specify "...permit tcp..." I can use network-object groups.

object-group service objgrp_svc_httpspecial tcp
port-object eq 8080
access-list acl_some_acl extended permit objgrp_svc_httpspecial ?
configure mode commands/options:
<cr>
myasa(config)#
4 Replies 4

Ajay Saini
Level 7
Level 7

What is the purpose of this access-list. Assuming that we have a source and destination ip address and/or port numbers/service-object-groups, the format is going to be different:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_objects.html#37203

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_extended.html

-

AJ

I intend to use the ACL in a vpn-filter within a group-policy for a group of RA-VPN clients.  I could certainly use a more traditional "permit tcp object-group src_objgrp object-group dst_objgrp eq 8080", but I was thinking the object would be more flexible and easier to administer, as I anticipate more ports than the current being added to the list of allowed ports.

I was looking at the syntax on the "configuring acl's" link you mention.

What I've done is use the ASDM to generate the ACL, and here is how it turned out:

access-list acl_vpnfilter_group1 extended permit tcp object objnet_vpn_grp1 object-group objgrp_lan_app1 object-group objgrp_svc_app1

where:

objnet_vpn_grp1 = ip range in the dhcp pool for these users

objgrp_lan_app1 = object group defining the hosts comprising the services allowed to this group of users

objgrp_svc_app1 = port-based service group for the services allowed (currently just 8080/tcp)

Apparently if you use the service object in the protocol-argument, that is the complete ACE (no source/dest arguments)?

Lets break it down. VPN filter will use the format wherein source will be remote subnet (in case of RAVPN, its pool ip address) and destination is the local subnet. Now, if you create something like below:

ciscoasa(config)# sh run access-l test
access-list test extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 object-group test-service
ciscoasa(config)# sh access-l test
access-list test; 3 elements; name hash: 0xcb4257a3
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 object-group test-service (hitcnt=0) 0x806f4e70
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq www (hitcnt=0) 0x2a5dfc5f
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq https (hitcnt=0) 0xcb9a9615
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq domain (hitcnt=0) 0x5cbf5183
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# sh run obje
ciscoasa(config)# sh run object-g id test-service
object-group service test-service tcp
port-object eq www
port-object eq https
port-object eq domain

This is one example wherein the ip pool subnet (2.2.2.0/24) will be able to access subnet 3.3.3.0 on ports defined under object-group test-service. 

The above access-list can be modified and so is the object-group. Is this something you are looking for. Please check.

-

AJ

there are two ways of using the service group in the ACL and each method depends on how you configure the service object.  The way you configured objgrp_svc_httpspecial group requires the object to be placed after you define the networks (either source, destination, or both).  for example

access-list acl_some_acl extended permit tcp host 1.1.1.1 host 2.2.2.2 object-group objgrp_svc_httpspecial

now if you had configured the service object like this:

object service objgrp_svc_httpspecial

  service tcp destination eq 808

Now you can add it in front of the hosts / subnets (after the permit statement)

access-list acl_some_acl permit objgrp_svc_httpspecial host 1.1.1.1 host 2.2.2.2

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: