Solved: ACL with object-group to object-group and port definitions

Rich Ahlert · ‎05-12-2014

Hello,

I have a scenario where I have multiple print servers on my outside interface that need to print/communicate to printers on my inside interface. I have setup a 1 to 1 nat for the printers but need to figure out the ACl for it. My thought was to group all my outside print servers together in one object-group and group all my inside printer networks in another object-group and then put all the ports in an another object-group then write the acl as follows

access-list ALLOW-OUTSIDE-to-INSIDE-PRINTING extended permit object-group PRINTER-PORTS object-group OUTSIDE-PRINT-SERVERS object-group INSIDE-PRINTERS

but all I get after the first object-group parameter is a return option <CR>. The code running on the ASA is 8.6. Is this possible? Do I need to upgrade to the latest 9.x code?

guibarati · ‎05-14-2014

You have to have created the object-group service before you try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)

View solution in original post

guibarati · ‎05-14-2014

You have to have created the object-group service before you try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)

Rich Ahlert · ‎05-21-2014

Thank you guibarati.