08-12-2009 11:13 AM - edited 03-11-2019 09:05 AM
I have an ASA running 8.0(4). I am attempting to use an object-group to consolidate the incoming access-list as their are several servers behind the asa running web servers.
However, when specifying any as the source network (I even tried using 0.0.0.0 0.0.0.0), it will not let me specify a destination port when I use an object group.
In other words, it will let me do:
access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site
but won't let me do:
access-list Allowed_Incoming_temp permit tcp any object-group Servers_Running_Web_Site eq www
Also odd is that if the source "network" is an object group, it will allow a port specification. In other words, this is ok:
access-list Allowed_Incoming_temp permit tcp object-group Temp_List object-group Servers_Running_Web_Site eq www
Of course that doesn't really do me much good.
Is this a bug in this version of the asa OS? Was this by design and if so, what is the intent of limiting port specification? Is there a way to do what I am looking for without creating an entry for each server and not using the object-group?
Thanks for your assistance.
08-12-2009 11:19 AM
I tried on my box and it worked ????
######
ASA-5510-8x(config)# object-group network mynetwork
ASA-5510-8x(config-network)# net
ASA-5510-8x(config-network)# network-object host 1.1.1.1
ASA-5510-8x(config-network)# network-object host 2.2.2.2
ASA-5510-8x(config-network)#
ASA-5510-8x(config-network)#
ASA-5510-8x(config-network)# exit
ASA-5510-8x(config)#
ASA-5510-8x(config)#
ASA-5510-8x(config)#
ASA-5510-8x(config)# access-l testacl permit tcp any ob
ASA-5510-8x(config)# access-l testacl permit tcp any object-group mynetwork eq www
ASA-5510-8x(config)# sh access-l testacl
access-list testacl; 2 elements
access-list testacl line 1 extended permit tcp any object-group mynetwork eq www 0xf40a2caa
access-list testacl line 1 extended permit tcp any host 1.1.1.1 eq www (hitcnt=0) 0x11d45404
access-list testacl line 1 extended permit tcp any host 2.2.2.2 eq www (hitcnt=0) 0xf620c462
#######
hTH
sUSHIl
08-12-2009 12:10 PM
Sloppiness from trying to do things in a hurry.
It was a capitalization error, must have typed too fast when typing the object group name and my "standards" didn't come in.
Thanks for getting me to slow down and think for a bit.
08-12-2009 12:18 PM
no problem....m in TAC and never saw that before...was kind of amazed by the behaviour.... :)
Cheers!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide