cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


804
Views
0
Helpful
3
Replies
Highlighted
Beginner

Unable to add object-group to acl

Hi,

I have encountered a problem which puzzles me.

Here are my object-groups:

object-group network fserve

network-object host fserve-active

network-object host fserve-standby

object-group service fserve-services

service-object tcp eq www

service-object tcp eq ftp

object-group icmp-type test-connection

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network dmz-hosts

group-object fserve

object-group service dmz-services

group-object fserve-services

object-group network inside-hosts

description define inside hosts

network-object 172.16.0.0 255.255.0.0

object-group protocol dmz-ports

protocol-object tcp

I am trying to add in a service object group but asa refuses and said it was an error. Here's what I type:

access-list pub->dmz extended permit object-group dmz-ports any object-group dmz-hosts object-group dmz-services

Here's what ASA said:

ERROR: specified object group <dmz-services> has wrong type; expecting service type

I would like to know what have gone wrong...dmz-services is indeed service object-group but asa refused to accept it.

Thanks.

3 REPLIES 3
Beginner

Unable to add object-group to acl

You have to mention group-object fserver-services >> what and all included this need to add in to same then only work.

Rajeswar

Beginner

Unable to add object-group to acl

Thank you for your reply, but sorry I do not understand what you mean.

If you mean dmz-services did not include group-object fserve-services, then look again at the object group config.

object-group service dmz-services

group-object fserve-services

Beginner

Unable to add object-group to acl

I have fixed the problem.