cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1903
Views
0
Helpful
3
Replies

Having issue with ACL confuration

Mohammad Rahman
Level 1
Level 1

I am having the issue with following below configuration and getting error. Please help me solve the issue.

 

object-group network LERAPID7_Console
network-object host 192.168.2.80

object-group network LMRAPID7_Console
network-object host 192.168.2.81


object-group network RAPID7_CONSOLE
group-object LERAPID7_Console
group-object LMRAPID7_Console

object-group service Rapid7-Management
service-object tcp destination eq 3750
service-object tcp destination eq 40814
service-object tcp destination eq https

access-list global-access extended permit tcp object-group any object-group RRAPID7_CONSOLE object-group Rapid7-Management

ERROR: specified object-group (Rapid7_Management) has wrong type; expecting service type

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hi Mohammad-

The CLI is rejecting the syntax because your object-group already specifies the protocol type (TCP) and your access-list is also calling out for the "TCP." If you already have the protocol defined your object group then you don't need it in your Access Control List Entry. The thread below explains pretty well and it includes an example that you can follow:

https://community.cisco.com/t5/firewalls/unable-to-create-acl-with-object-group-for-service-port/td-p/2716499

Thank you for rating helpful posts!

 

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hi Mohammad-

The CLI is rejecting the syntax because your object-group already specifies the protocol type (TCP) and your access-list is also calling out for the "TCP." If you already have the protocol defined your object group then you don't need it in your Access Control List Entry. The thread below explains pretty well and it includes an example that you can follow:

https://community.cisco.com/t5/firewalls/unable-to-create-acl-with-object-group-for-service-port/td-p/2716499

Thank you for rating helpful posts!

 

Thank you nspasov  for your quick answer. I got that solved but I changed my configuration as below. When I browse using the port number 3780, show access-list showing 0 hitting. Please help me solve this issue then I will be done with my project.

 

object-group network Rapid7_Server
network-group host 192.168.2.2

object-group network Outside_Host
network-group host 192.168.1.165

object-group service Rapid7_MGMT tcp
port-object eq 3780
port-object eq https
access-list global-access extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT

access-list global-access line 1 extended permit tcp object-group Outside_Host object-group Rapid7_Server object-group Rapid7_MGMT (hitcnt=0) 0x80fcc2fc
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq 3780 (hitcnt=0) 0x5ff3d781
access-list global-access line 1 extended permit tcp host 192.168.1.165 host 192.168.2.2 eq https (hitcnt=0) 0x5025c4b8

It is hard to tell why your ACEs are not getting any hits without knowing the test methodology that you used. A simple/quick test is to use the "packet-tracer" command. Can you run that and post the output and also check if the ACEs are getting a hit after running the command? The packet-tracer command actually generates real traffic so you should see the hit count increase. 

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: