cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


230
Views
0
Helpful
3
Replies
Beginner

Strange Inside ACL Issue

We've been having a few problems over the past week or so which Objects and Object groups.

What we have is an object group called HTTP out which contains around 120 objects and 10 object groups, this object group is part of a rule any source to HTTP out on IP service.

One of the boject groups contains a class C subnet an external application along with other addresses for this application.

What we've found is that no users trying to connect to an address in this subnet works, but if we put the same subnet in its own rule above the HTTP out rule it works fine.

Are there any limits on the number of objects you can have in any one object group and what else can I look to see why connections to this subnet don't work when its part of the HTTP out object group?

Any help or advice would be much appreciated.

Thanks

Jon

Everyone's tags (4)
3 REPLIES 3
Cisco Employee

Strange Inside ACL Issue

Hi Jon,

Would you be able to remove the Rule (assuming that is still on as a workaround) and run a packet tracer? Maybe it is not even hitting it.

Mike Rojas

Mike
Beginner

Strange Inside ACL Issue

Mike

I did a packet tracer before I put the more specific rule in place and it said packet allowed.

Thanks

Jon

Cisco Employee

Strange Inside ACL Issue

Hello,

I need the detailed packet tracer to see where it matches the object group but the packet does not pass through, also will be needing the logs to see whats the reason for the packet to be dropped.

Let me know if you would be able to do testing (If this does not work, we would be persuing a lab recreate and try to see if this could be a new defect)

Mike

Mike