Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

ASA5505 9.2 Can't create ACL with service-object and network-objects

david.kiernan
Level 1
Level 1

‎02-02-2017 04:01 PM - edited ‎03-12-2019 01:52 AM

ASA 5505 with 9.2(4)

I am unable to get past the service object-group in an ACE.

(the object group contains only 1 element now, but may be expanded, hence a "group of 1").

Notice below that the inline help doesn't offer anything other than <cr> after specifying the service-object.

If I forge ahead and enter the rest of a valid line, it gives an error and does not accept it.

There are no other ACE's in the ACL yet, this is to be the first ACE.

If I specify "...permit tcp..." I can use network-object groups.

object-group service objgrp_svc_httpspecial tcp
 port-object eq 8080
access-list acl_some_acl extended permit objgrp_svc_httpspecial ?
configure mode commands/options:
 <cr>
myasa(config)#
Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎02-02-2017 04:56 PM

What is the purpose of this access-list. Assuming that we have a source and destination ip address and/or port numbers/service-object-groups, the format is going to be different:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_objects.html#37203

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_extended.html

-

AJ

0 Helpful

david.kiernan
Level 1
Level 1
In response to Ajay Saini

‎02-03-2017 05:02 AM

I intend to use the ACL in a vpn-filter within a group-policy for a group of RA-VPN clients.  I could certainly use a more traditional "permit tcp object-group src_objgrp object-group dst_objgrp eq 8080", but I was thinking the object would be more flexible and easier to administer, as I anticipate more ports than the current being added to the list of allowed ports.

I was looking at the syntax on the "configuring acl's" link you mention.

What I've done is use the ASDM to generate the ACL, and here is how it turned out:

access-list acl_vpnfilter_group1 extended permit tcp object objnet_vpn_grp1 object-group objgrp_lan_app1 object-group objgrp_svc_app1

where:

objnet_vpn_grp1 = ip range in the dhcp pool for these users

objgrp_lan_app1 = object group defining the hosts comprising the services allowed to this group of users

objgrp_svc_app1 = port-based service group for the services allowed (currently just 8080/tcp)

Apparently if you use the service object in the protocol-argument, that is the complete ACE (no source/dest arguments)?

0 Helpful

Ajay Saini
Level 7
Level 7
In response to david.kiernan

‎02-07-2017 06:56 AM

Lets break it down. VPN filter will use the format wherein source will be remote subnet (in case of RAVPN, its pool ip address) and destination is the local subnet. Now, if you create something like below:

ciscoasa(config)# sh run access-l test
access-list test extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 object-group test-service
ciscoasa(config)# sh access-l test
access-list test; 3 elements; name hash: 0xcb4257a3
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 object-group test-service (hitcnt=0) 0x806f4e70
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq www (hitcnt=0) 0x2a5dfc5f
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq https (hitcnt=0) 0xcb9a9615
access-list test line 1 extended permit tcp 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0 eq domain (hitcnt=0) 0x5cbf5183
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# sh run obje
ciscoasa(config)# sh run object-g id test-service
object-group service test-service tcp
port-object eq www
port-object eq https
port-object eq domain

This is one example wherein the ip pool subnet (2.2.2.0/24) will be able to access subnet 3.3.3.0 on ports defined under object-group test-service. 

The above access-list can be modified and so is the object-group. Is this something you are looking for. Please check.

-

AJ

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-07-2017 10:08 AM

there are two ways of using the service group in the ACL and each method depends on how you configure the service object.  The way you configured objgrp_svc_httpspecial group requires the object to be placed after you define the networks (either source, destination, or both).  for example

access-list acl_some_acl extended permit tcp host 1.1.1.1 host 2.2.2.2 object-group objgrp_svc_httpspecial

now if you had configured the service object like this:

object service objgrp_svc_httpspecial

  service tcp destination eq 808

Now you can add it in front of the hosts / subnets (after the permit statement)

access-list acl_some_acl permit objgrp_svc_httpspecial host 1.1.1.1 host 2.2.2.2

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card