Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
1
Replies

ACL and Object group for port ranges

dan hale
Level 3
Level 3

‎10-18-2015 01:12 PM - edited ‎03-12-2019 06:09 PM

Hello All, I need to allow traffic thru my ASA for expressway. Per the guide they want a range of TCP and UDP ports open into my DMZ from inside and outside. I thought I wrote this out correctly but, when I check it via packet tracer is says that my packets is dropped by the "implicit" deny IP any any on my inside interface when testing inside to DMZ...this is what I did:

 

object-group service ExpresswayC_to_ExpresswayE tcp-udp
 port-object eq 7400
 port-object eq 2222
 port-object range 25000 29999
 port-object range 36000 59999

object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 

access-list in-inside remark Allow ExpresswayC communication to ExpresswayE
access-list in-inside extended permit object-group TCPUDP host 192.168.20.20 host xxx.xxx.xxx.xxx object-group ExpresswayC_to_ExpresswayE log

Does this look correct? The above is just the ACL for inbound traffic on the inside interface.

 

Thanks,

Daniel

 

Labels:
0 Helpful
1 Reply 1

Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-18-2015 06:54 PM

Hi Daniel,

Access-list looks fine but it depends upon the version you use as well. If you are using version post 8.3 and if x.x.x.x mentoned is natted IP then use the private ip in the access-list instead of public.

Does adding ip any any works for you (for testing purpose)?

 

Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card