Solved: ACL syntax problem

Colin Higgins · ‎12-18-2013

I have a ASA services modules in a 6509-E that is giving me issues with ragards to ACL syntax

Let's say I have a KMS server at 192.168.20.10

I want to allow all hosts to reach this server at port tcp 1688

so I do

object-group network KMS-SERVERS

host 192.168.20.10

then

access-list KMS-ACCESS-IN extended permit tcp any object-group KMS-SERVERS eq 1688

problem is, it WILL NOT take the "eq 1688"

this was a valid command in other IOS versions. Why isn't it working now?

Karsten Iwen · ‎12-18-2013

that is typically the case if the object-group is not available. Thats the reason I asked what you *really* configured on your box.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten Iwen · ‎12-18-2013

Is that really what you configured? Your object-group doesn't look like that what you show here is what you did on your ASA.

Please verify and show the exact terminal-output.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Colin Higgins · ‎12-18-2013

well that is my question

the command

access-list KMS-ACCESS-IN extended permit tcp any host 192.168.20.10 eq 1688

will work

access-list KMS-ACCESS-IN extended permit tcp any object-group KMS-SERVERS eq 1688

will not

I don't get any options after the object group

this used to work

Karsten Iwen · ‎12-18-2013

that is typically the case if the object-group is not available. Thats the reason I asked what you *really* configured on your box.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni