Solved: Access list

WiLL-I-Am · ‎11-07-2020

object network SSL-VPN-POOL
 subnet 10.25.235.0 255.255.255.0
object-group service DM_INLINE_SERVICE
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq https 
 service-object object vnc 

object network iDRAC_LAN
 subnet 10.25.230.0 255.255.255.0

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

can you guys translate this access-list, what is the src ip and port and what is the dst ip and port?

if I am not wrong, the red is the source ip port, and the blue is the destination sets of ip port although we don't have any destination port in this example?!

Thanks

Marius Gunnerud · ‎11-08-2020

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

Green - This is the protocl being used. That is IP, TCP, UDP, ICMP, etc.

Red - is the source IP or subnet

Blue - is the destination IP or subnet

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Rob Ingram · ‎11-08-2020

Hi @WiLL-I-Am

No that's incorrect, the service object is referenced before source/destination networks. I pasted your config into my lab, as you can see the ports you defined in your service group are all destination services.

DC-2(config)# show access-list
access-list OUTSIDE_in; 4 elements; name hash: 0xc644d63b
access-list OUTSIDE_in line 1 extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN (hitcnt=0) 0xc0311470
access-list OUTSIDE_in line 1 extended permit icmp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 echo (hitcnt=0) 0x2aa70f34
access-list OUTSIDE_in line 1 extended permit icmp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 echo-reply (hitcnt=0) 0xc3652676
access-list OUTSIDE_in line 1 extended permit tcp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 eq https (hitcnt=0) 0x45426cbd

If you had a service group object with the service source defined

object-group service SVC
service-object tcp source eq 3000

You'd see this in the ACL (traffic is permitted from 10.25.235.0/24 on source tcp/3000 to any destination port on 10.25.230.0/24).

access-list OUTSIDE_in line 3 extended permit object-group SVC object SSL-VPN-POOL object iDRAC_LAN (hitcnt=0) 0x9a1dd9b3
access-list OUTSIDE_in line 3 extended permit tcp 10.25.235.0 255.255.255.0 eq 3000 10.25.230.0 255.255.255.0 (hitcnt=0) 0x2d3359ec

HTH

Marius Gunnerud · ‎11-08-2020

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

Green - This is the protocl being used. That is IP, TCP, UDP, ICMP, etc.

Red - is the source IP or subnet

Blue - is the destination IP or subnet

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎11-08-2020

object-group service DM_INLINE_SERVICE
 service-object icmp echo <-ICPM is L3 protocol don't have source/destination L4 port number 
 service-object icmp echo-reply<-<-ICPM is L3 protocol don't have source/destination L4 port number 
 service-object tcp destination eq https<-here you already specific L4 port number that the source is any and destination is http.

So you filter from SSL-VPN client toward destination LAN,
for tcp it easy
for ICMP only these types with source and destination is permit other is deny.