Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
15
Helpful
3
Replies

Access list

Go to solution
WiLL-I-Am
Level 1
Level 1

‎11-07-2020 07:11 PM - edited ‎11-07-2020 07:20 PM

 

object network SSL-VPN-POOL
 subnet 10.25.235.0 255.255.255.0
object-group service DM_INLINE_SERVICE
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq https 
 service-object object vnc 

object network iDRAC_LAN
 subnet 10.25.230.0 255.255.255.0

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

 

can you guys translate this access-list, what is the src ip and port and what is the dst ip and port?

if I am not wrong, the red is the source ip port, and the blue is the destination sets of ip port although we don't have any destination port in this example?!

 

 

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎11-08-2020 01:50 AM 

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

Green - This is the protocl being used.  That is IP, TCP, UDP, ICMP, etc.

Red -  is the source IP or subnet

Blue - is the destination IP or subnet 

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-08-2020 01:10 AM - edited ‎11-08-2020 01:11 AM

Hi @WiLL-I-Am 

No that's incorrect, the service object is referenced before source/destination networks. I pasted your config into my lab, as you can see the ports you defined in your service group are all destination services.

 

DC-2(config)# show access-list
access-list OUTSIDE_in; 4 elements; name hash: 0xc644d63b
access-list OUTSIDE_in line 1 extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN (hitcnt=0) 0xc0311470
access-list OUTSIDE_in line 1 extended permit icmp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 echo (hitcnt=0) 0x2aa70f34
access-list OUTSIDE_in line 1 extended permit icmp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 echo-reply (hitcnt=0) 0xc3652676
access-list OUTSIDE_in line 1 extended permit tcp 10.25.235.0 255.255.255.0 10.25.230.0 255.255.255.0 eq https (hitcnt=0) 0x45426cbd

If you had a service group object with the service source defined

 

object-group service SVC
service-object tcp source eq 3000

You'd see this in the ACL (traffic is permitted from 10.25.235.0/24 on source tcp/3000 to any destination port on 10.25.230.0/24).

access-list OUTSIDE_in line 3 extended permit object-group SVC object SSL-VPN-POOL object iDRAC_LAN (hitcnt=0) 0x9a1dd9b3
access-list OUTSIDE_in line 3 extended permit tcp 10.25.235.0 255.255.255.0 eq 3000 10.25.230.0 255.255.255.0 (hitcnt=0) 0x2d3359ec

HTH

Go to solution
Marius Gunnerud
VIP
VIP

‎11-08-2020 01:50 AM 

access-list OUTSIDE_in extended permit object-group DM_INLINE_SERVICE object SSL-VPN-POOL object iDRAC_LAN

Green - This is the protocl being used.  That is IP, TCP, UDP, ICMP, etc.

Red -  is the source IP or subnet

Blue - is the destination IP or subnet 

 

--
Please remember to select a correct answer and rate helpful posts

Go to solution
MHM Cisco World
VIP
VIP

‎11-08-2020 11:59 AM 

object-group service DM_INLINE_SERVICE
 service-object icmp echo <-ICPM is L3 protocol don't have source/destination L4 port number 
 service-object icmp echo-reply<-<-ICPM is L3 protocol don't have source/destination L4 port number 
 service-object tcp destination eq https<-here you already specific L4 port number that the source is any and destination is http.

So you filter from SSL-VPN client toward destination LAN,
for tcp it easy
for ICMP  only  these types with source and destination is permit other is deny.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card