- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 08:02 AM - edited 03-11-2019 08:27 PM
Can someone please show me how to add existing network objects to existing access control lists in a network object group using the cli in the asa version 9.x on the inside interface? The source is an already existing network object and the destination is an existing network object group. Thanks.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 09:05 AM
Hi,
Well if the existing "access-list" rule has an "object-group network
object-group network
network-object host
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 08:09 AM
Hi,
I am not entirely sure of what you are asking.
What I undertood is that you have the following already
- An "access-list" that is attached to the "inside" interface
- An existing "object network
" configured that will be used as the source for the "access-list" rule - An existing "object-group network
" configured that will be used as the destination for the "access-list" rule
If the above is true then you would simply configure
access-list
The above though would permit all TCP/UDP traffic
If you want to only allow specific ports for either TCP or UDP then you would use the format
access-list
access-list
Naturally if you want to allow multiple ports there would be further ways to group those ports together also inside "object-group" to make the configuration smaller/cleaner.
Please let me know if you were looking for something else and I missunderstood
Hope this helps
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 08:41 AM
close..but when I did that command access-list
All it did was create a duplicate of what already existed.
Sorry for not explaining well enough.
What I want to do is add a host (server) to a network object group that already exists in an acl.
Inside interface
rule# 15 - source is a network object (just a server) and the destination is a network object group.
I want to add a host to the network object group.
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 09:05 AM
Hi,
Well if the existing "access-list" rule has an "object-group network
object-group network
network-object host
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2014 01:49 PM
Thanks that did it.
