04-03-2009 03:57 PM - edited 03-11-2019 08:14 AM
I have a possible bug when creating an Access Rule that happens sporatically.
When using a Network Object Group with 3 members as the Destination, the ACL blocks the source that I want to permit. However, when I break up the Network Object Group into 3 individual destination hosts, the ACL works fine.
Has anyone experienced this???
ASA5520 Version 8.0(4)
ASDM 6.1
Thanks much
04-09-2009 03:17 PM
To use object groups in an access list, replace the normal protocol (protocol), network (source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended] {deny |
permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group
nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]
You do not have to use object groups for all parameters; for example, you can use an object group for the source address, but identify the destination address with an address and mask.
04-09-2009 04:19 PM
Hi,
Could you post your object group and the access list used for that object group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide