Solved: ASA not taking an access-list command

Difan Zhao · ‎01-19-2011

Hi experts,

Here are my relevant configs on the ASA 5510 running 8.3(2)

object network Obj_ABC_ICS
host 192.168.55.11
!

object-group network ObjGrp_ABC_IP
network-object host 1.2.3.4
object-group service ObjGrp_ABC_Ports
service-object tcp destination eq 3389
service-object tcp destination eq www
service-object tcp destination eq https
!

Then I try to create an ACL with the following command I got the error:

access-list ACL_test extended permit tcp object-group ObjGrp_ABC_IP object Obj_ABC_ICS object-group ObjGrp_ABC_Ports

ERROR: specified object group <ObjGrp_ABC_Ports> has wrong type; expecting service type

...

It's indeed the service type!!!

What did I do wrong? I also saw the "protocol" type object-group. What's the difference between "service" type and "protocol" type?

Thanks!

Nagaraja Thanthry · ‎01-19-2011

Hello,

You are using enhanced object groups. Please try the following:

access-list ACL_test extended permit object-group ObjGrp_ABC_Ports object-group ObjGrp_ABC_IP object Obj_ABC_ICS

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#serv

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎01-19-2011