04-29-2014 01:19 AM - edited 03-11-2019 09:08 PM
Hi,
My ASA5505 start acts strangely in the ASDM. When i starts create Network objects and Network objects group, it often failed -
Actually what i am trying to do is to deny connection to/from Adverstment servers, it is supposed to an easy task to do.
This is the error message from the asdm when i edit the network object group:
[OK] object network ADS.ds.serving-sys.com
object network ADS.ds.serving-sys.com
[OK] fqdn v4 ds.serving-sys.com
[OK] description ds.serving-sys.com
[OK] object-group network ADS_BLOCK
object-group network ADS_BLOCK
[ERROR] network-object object ADS.b.voicefive.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister b.voicefive.com lookup service (10)
[ERROR] network-object object ADS.cmh.hk.overture.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister cmh.hk.overture.com lookup service (10)
[ERROR] network-object object ADS.ds.serving-sys.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister ds.serving-sys.com lookup service (10)
[ERROR] network-object object ADS.i.l.networld.hk
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister i.l.networld.hk lookup service (10)
[ERROR] network-object object ADS.pagead2.googlesyndication.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister pagead2.googlesyndication.com lookup service (10)
[ERROR] network-object object ADS.pubads.g.doubleclick.net
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister pubads.g.doubleclick.net lookup service (10)
[ERROR] network-object object ADS.s3-ap-southeast-1.amazonaws.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister s3-ap-southeast-1.amazonaws.com lookup service (10)
[ERROR] network-object object ADS.servedby.adsfactor.net
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister servedby.adsfactor.net lookup service (10)
My ASA5505 is running ASA9.2, ASDM 7.2.1 . How can i solve this problem? My ACL of this network-group also disappear after i created it with the network group object again and again. It just doesn't work now.
Thanks
Daniel
04-29-2014 03:17 AM
If you enable preview commands under preferences before deploying, review the commands to see if there might be some issues with the commands the ASDM is trying to deploy.
Have you tried to add the object groups and ACLs using the CLI. Has this been successful?
--
Please remember to select a correct answer and rate
04-29-2014 04:14 AM
Hi Marius,
Thanks for the suggestion - I have enabled the option you mentioned.
I can see it is trying to do:
object-group network ADS_BLOCK
network-object object ADS.b.voicefive.com
network-object object ADS.cmh.hk.overture.com
Then it came back:
[OK] object-group network ADS_BLOCK
object-group network ADS_BLOCK
[ERROR] network-object object ADS.b.voicefive.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister b.voicefive.com lookup service (10)
[ERROR] network-object object ADS.cmh.hk.overture.com
Adding obj to object-group (ADS_BLOCK) failed; cause access-list error
ERROR: unable to deregister cmh.hk.overture.com lookup service (10)
I don't know what is going on, any suggestion can debug this are welcome and i will try to do the suggestion as i can.
Thank you!
Daniel
04-29-2014 04:30 AM
Have you tried adding the commands manually in the CLI? if not, could you try a couple object-groups to see if you get an error there also?
If you do not get an error there then I think this could be an issue with ASDM version and would suggest downgrading (if you absolutely have to do this in ASDM). If you get an error when entering the commands in CLI then it would seem that there is an issue with the configuration...perhaps naming convention(?), in any case we would need to see more of your configuration to help you further in this case.
--
Please remember to select a correct answer and rate
04-29-2014 04:56 AM
I found another problem.
I see what ASDM is doing:
access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK log disable
then write mem
The asdm will actualy list this acl for a moment.
No problem.
But in the actual runnning config, i cannot see anything actually is related to this.
And interestingly , after write mem and checked running config from CLI, i run asdm again, and, acl disappear.
So, seems this access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK log disable no use at all.
btw, i used command created this newly ADS1_BLOCK group , no problem at the moment.
AS i am not very familiar CLI, would you suggest is there another way to rewrite this
access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK log disable
? i suspected this command messed up things in my ASA.
Thanks
Daniel
04-29-2014 05:01 AM
I don't see how that ACL entry would mess things up as it is disabled. But there really isn't any other way of writing it, other than creating separate entries for all the objects in the ADS1_BLOCK group.
--
Please remember to select a correct answer and rate
04-29-2014 05:13 AM
I tried this:
access-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
as i found in the running config.
I typed this in CLI
asa(config)# aaccess-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
asa(config)# write
Building configuration...
Cryptochecksum: 793b2277 64859db5 0966c319 439447e6
28366 bytes copied in 1.420 secs (28366 bytes/sec)
[OK]
asa(config)#
But i run sh run i cannot find this entry in my running config.
My running config have this:
access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable
I really don't know what is going on, no complain in CLI, can write to mem but just not exist in the running config
Any suggestion?
Should i downgrade ASA?
Thanks
Daniel
04-29-2014 05:15 AM
Could you post the configuration output for ADS1_BLOCK please?
--
Please remember to select a correct answer and rate
04-29-2014 05:30 AM
I post my running config here - hope you can give me any suggestion.
asa# sh run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(1)
!
hostname asa
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
multicast-routing
names
name 10.71.0.50 my-host
ip local pool vpn-pool 10.71.1.230-10.71.1.254 mask 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Private-interface
nameif inside
security-level 100
ip address 10.71.0.1 255.255.255.0
!
interface Vlan2
description Public-interface
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa921-k8.bin
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.71.0.224
subnet 10.71.0.224 255.255.255.224
object network my-host
host 10.71.0.50
object service obj-tcp-source-eq-57706
service tcp source eq 57706
object service obj-tcp-source-eq-7777
service tcp source eq 7777
object network obj-10.71.0.0
subnet 10.71.0.0 255.255.0.0
object network NETWORK_OBJ_10.71.0.224_27
subnet 10.71.0.224 255.255.255.224
object service obj-tcp-source-eq-80
service tcp source eq www
object network vpnpool
range 10.71.1.230 10.71.1.254
description vpnpool
object service obj-tcp-source-eq-443
service tcp source eq https
object service 1443
service tcp destination eq 1443
object network block-NEOTEL
range 41.160.0.0 41.175.255.255
description 255.255.0.0
object network block-190.123.0.0
range 190.123.0.0 190.123.255.255
object network block-level3
range 4.26.0.0 4.26.255.255
object network block-110.164.191.179
range 110.164.0.0 110.164.255.255
object network block-87.106.0.0_16
range 87.106.0.0 87.106.255.255
object network block-80.86.80.0_16
range 80.86.80.0 80.86.84.255
object network ADS.bdaz.adsfactor.net
fqdn v4 bdaz.adsfactor.net
description bdaz.adsfactor.net
object network ADS.googleads.g.doubleclick.net
fqdn v4 googleads.g.doubleclick.net
description googleads.g.doubleclick.net
object network ADS.i.l.networld.hk
fqdn v4 i.l.networld.hk
description i.l.networld.hk
object network ADS.servedby.adsfactor.net
fqdn v4 servedby.adsfactor.net
description servedby.adsfactor.net
object network ADS.pagead2.googlesyndication.com
fqdn v4 pagead2.googlesyndication.com
description pagead2.googlesyndication.com
object network ADS.s3-ap-southeast-1.amazonaws.com
fqdn v4 s3-ap-southeast-1.amazonaws.com
description s3-ap-southeast-1.amazonaws.com
object network ADS.cmh.hk.overture.com
fqdn v4 cmh.hk.overture.com
description cmh.hk.overture.com
object network ADS.pubads.g.doubleclick.net
fqdn v4 pubads.g.doubleclick.net
description pubads.g.doubleclick.net
object network ADS.ds.serving-sys.com
fqdn v4 ds.serving-sys.com
description ds.serving-sys.com
object network ADS.b.voicefive.com
fqdn b.voicefive.com
object network ADS1.test.abc.com
fqdn test.abc.com
object-group network ADS_BLOCK
network-object object ADS.bdaz.adsfactor.net
network-object object ADS.googleads.g.doubleclick.net
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq snmp
port-object eq snmptrap
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq 57706
object-group icmp-type ICMP-Service-Group
description ICMP Service Group
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Monitor-remote-tcp tcp
description Monitor-remote-tcp
port-object eq 5938
port-object eq 7777
object-group network DMZ_Group
network-object 10.80.0.0 255.255.0.0
object-group network wp-block
network-object object block-NEOTEL
network-object object block-190.123.0.0
network-object object block-level3
network-object object block-110.164.191.179
network-object object block-87.106.0.0_16
network-object object block-80.86.80.0_16
object-group service DM_INLINE_SERVICE_3
service-object object obj-tcp-source-eq-443
service-object object obj-tcp-source-eq-57706
service-object object obj-tcp-source-eq-7777
service-object object obj-tcp-source-eq-80
object-group network ADS1_BLOCK
network-object object ADS1.test.abc.com
network-object object ADS.b.voicefive.com
network-object object ADS.bdaz.adsfactor.net
network-object object ADS.cmh.hk.overture.com
network-object object ADS.ds.serving-sys.com
network-object object ADS.googleads.g.doubleclick.net
network-object object ADS.i.l.networld.hk
network-object object ADS.pagead2.googlesyndication.com
network-object object ADS.pubads.g.doubleclick.net
network-object object ADS.s3-ap-southeast-1.amazonaws.com
network-object object ADS.servedby.adsfactor.net
object-group-search access-control
access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any4
access-list inside-in extended deny ip any 202.128.224.0 255.255.224.0 log alerts
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended deny tcp any 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended deny tcp object-group wp-block object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny object-group DM_INLINE_SERVICE_3 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny tcp 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list outside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list outside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_nat0_outbound extended permit ip any4 10.71.0.224 255.255.255.224
access-list split-tunnel standard permit 10.71.0.0 255.255.255.0
access-list DMZ_access_in extended permit tcp any any object-group Internet-tcp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit udp any any object-group Internet-udp
access-list DMZ_access_in extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended permit tcp any any object-group Internet-tcp
access-list global_access extended permit udp any any object-group Internet-udp
access-list global_access extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended deny ip 202.128.224.0 255.255.224.0 object my-host log alerts
access-list global_access extended deny ip object my-host 202.128.224.0 255.255.224.0 log alerts
pager lines 24
logging enable
logging timestamp
logging list filter level warnings
logging buffer-size 999999
logging buffered filter
logging asdm informational
logging flash-bufferwrap
logging flash-minimum-free 30760
logging flash-maximum-allocation 30240
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-57706 obj-tcp-source-eq-57706
nat (inside,outside) source static my-host interface service obj-tcp-source-eq-7777 obj-tcp-source-eq-7777
nat (inside,outside) source dynamic obj-10.71.0.0 interface
nat (inside,outside) source static any any destination static obj-10.71.0.0 obj-10.71.0.0 no-proxy-arp route-lookup
!
object network obj-10.71.0.0
nat (inside,outside) dynamic interface
!
nat (any,outside) after-auto source static vpnpool vpnpool
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=my-asa
crl configure
crypto ca trustpool policy
crypto ca certificate map DefaultCertificateMap 10
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 21 20 19 24 14 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpnclient server 1.2.3.4
vpnclient mode client-mode
vpnclient vpngroup vpn password *****
dhcpd lease 1048575
!
dhcpd address my-host-10.71.0.128 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
ntp authenticate
ntp server 118.143.17.82 prefer
ssl encryption 3des-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
port 8443
enable inside
enable outside
character-encoding unicode
anyconnect-essentials
csd image disk0:/csd_3.6.6210-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles vpn disk0:/vpn.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 8.8.8.8 8.8.4.4
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:793b227764859db50966c319439447e6
: end
04-29-2014 06:03 AM
is this a typo or copy error...? (two a's in access)
aaccess-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
If it is a typo, I do not have a good explanation as to why it is not showing up in the running configuration. I plugged you config into my ASA and got no error and see the entry when I issue show run access-list.
Try removing the ADS1_BLOCK group and the ACL, refresh ASDM and make sure the commands are not present in the ASDM or CLI, then re-add the commands using the CLI only and see if the command is now present.
no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
no object-group network ADS1_BLOCK
refresh ASDM and check that configs are gone.
object-group network ADS1_BLOCK
network-object object ADS1.test.abc.com
network-object object ADS.b.voicefive.com
network-object object ADS.bdaz.adsfactor.net
network-object object ADS.cmh.hk.overture.com
network-object object ADS.ds.serving-sys.com
network-object object ADS.googleads.g.doubleclick.net
network-object object ADS.i.l.networld.hk
network-object object ADS.pagead2.googlesyndication.com
network-object object ADS.pubads.g.doubleclick.net
network-object object ADS.s3-ap-southeast-1.amazonaws.com
network-object object ADS.servedby.adsfactor.net
access-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
If that doesn't work then perhaps it is best to contact TAC, if you have a support contract with Cisco.
--
Please remember to select a correct answer and rate
04-29-2014 06:51 AM
Hi
I am geeting into a loop...
asa(config)# no object network ADS.googleads.g.doubleclick.net
ERROR: unable to delete object (ADS.googleads.g.doubleclick.net). object is being used.
asa(config)# no object-group network ADS1_BLOCK
Removing object-group (ADS1_BLOCK) not allowed, it is being used.
Any idea how to solve ???
It is driving me crazy .....-_-"
Thanks
Daniel
04-29-2014 11:41 PM
You need to remove the access-list first.
no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
Enter this command even though the ACL is not visible in the running configuration. You might want to try the following command to see if the access-list shows up there: show run all and more system:running-config
After you have removed the access-list remove the object-group:
no object-group network ADS1_BLOCK
--
Please remember to select a correct answer and rate
04-30-2014 02:58 PM
yeah, all the ADS are not resolving to anything, since they don't resolve you are getting this error.
C:\Users\jumora>nslookup ADS.cmh.hk.overture.com
Server: UnKnown
Address: 10.198.4.30
*** UnKnown can't find ADS.cmh.hk.overture.com: Non-existent domain
C:\Users\jumora>nslookup ADS.googleads.g.doubleclick.net
Server: UnKnown
Address: 10.198.4.30
*** UnKnown can't find ADS.googleads.g.doubleclick.net: Non-existent domain
04-30-2014 09:06 PM
HI jumora,
But i don't know if a object name will also used to resolve - -_-"
In the running config:
object network ADS.pagead2.googlesyndication.com
fqdn v4 pagead2.googlesyndication.com
description pagead2.googlesyndication.com
In fqdn i defined the proper domain name...
Anyway , do you have suggestion of how can i remove this troubleshome network-groups and network objects?i am running in a loop....thanks
Daniel
I put ADS.(domain name) is just for easy for me to classify they are ads server
04-30-2014 09:01 PM
thanks - seems no use. Even i run show run all and more system:running-config still cannot see the access-list with ADS1_block
And this is what i have tried:
asa# conf t
asa(config)# no access-list inside_access_in extended deny ip any object-group ADS1_BLOCK log disable
Specified access-list does not exist
asa(config)# no access-list inside_access_in line 9 extended deny ip any object-group ADS1_BLOCK log disable
Specified access-list does not exist at that line
asa(config)# show run access-list
access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any4
access-list inside-in extended deny ip any 202.128.224.0 255.255.224.0 log alerts
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended deny tcp any 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny udp object my-host 202.128.224.0 255.255.224.0 log alerts
access-list inside_access_in extended deny tcp object my-host object-group wp-block log disable
access-list inside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list inside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list inside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list inside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended deny tcp object-group wp-block object pigpigpig-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny object-group DM_INLINE_SERVICE_3 202.128.224.0 255.255.224.0 object my-host log alerts
access-list outside_access_in remark gov
access-list outside_access_in extended deny tcp 202.128.224.0 255.255.224.0 object pigpigpig-host log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Monitor-remote-tcp log alerts
access-list outside_access_in extended permit tcp any4 any4 object-group Internet-tcp log disable
access-list outside_access_in extended permit udp any4 any4 object-group Internet-udp log disable
access-list outside_access_in extended permit ip any4 any4 log disable
access-list outside_access_in extended permit icmp any4 any4 object-group ICMP-Service-Group log disable
access-list inside_nat0_outbound extended permit ip any4 10.71.0.224 255.255.255.224
access-list split-tunnel standard permit 10.71.0.0 255.255.255.0
access-list DMZ_access_in extended permit tcp any any object-group Internet-tcp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit udp any any object-group Internet-udp
access-list DMZ_access_in extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended permit tcp any any object-group Internet-tcp
access-list global_access extended permit udp any any object-group Internet-udp
access-list global_access extended permit icmp any any object-group ICMP-Service-Group
access-list global_access extended deny ip 202.128.224.0 255.255.224.0 object pigpigpig-host log alerts
access-list global_access extended deny ip object my-host 202.128.224.0 255.255.224.0 log alerts
asa(config)#
asa(config)# no object-group network ADS1_BLOCK
Removing object-group (ADS1_BLOCK) not allowed, it is being used.
asa(config)# show run object-group network ADS1_BLOCK
^
ERROR: % Invalid input detected at '^' marker.
asa(config)# show run object-group
object-group network ADS1_BLOCK
network-object object ADS.b.voicefive.com
asa(config)#
asa(config)# no network-object object ADS.b.voicefive.com
^
ERROR: % Invalid input detected at '^' marker.
asa(config)# object-group network ADS1_BLOCK
asa(config-network-object-group)# no network-object object ADS.b.voicefive.com
Removing obj from object-group not allowed;
object-group (ADS1_BLOCK), being used in access-list or threat-detection or NAT, would become empty
asa(config-network-object-group)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide