Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
470
Views
0
Helpful
3
Replies

Cisco ASA 9.02 ACL with three object groups

Robert Sealey
Level 1
Level 1

‎02-06-2015 04:14 PM - edited ‎03-11-2019 10:28 PM

I was trying to create a single access list using ip rather than specifying two with both udp and tcp.  My rule looked like this:

access-list ACL_Group_IN extended permit ip object-group Isolated_workstations object-group Antivirus_Server object-group Antivirus_Services

My groups are defined as such:

object-group network Antivirus_Server

network-object host 10.10.20.111

 

object-group service Antivirus_Services tcp-udp

port-object eq 80

port-object eq 443

port-object eq 8081

port-object eq 8082

port-object eq 8083

(the last two are udp ports)

 

object-group network Isolated_workstations

network object host 10.8.10.3

network object host 10.8.10.4

network object host 10.8.10.5

network object host 10.9.10.3

network object host 10.9.10.23

When in configuration mode on my ASASM with 9.02, I would get a syntax error when trying to submit the first rule. When I split it into two rules and removed ip and replaced with upd and tcp, it worked.  So the rules that worked are:

access-list ACL_Group_IN extended permit tcp object-group Isolated_workstations object-group Antivirus_Server object-group Antivirus_Services

access-list ACL_Group_IN extended permit udp object-group Isolated_workstations object-group Antivirus_Server object-group Antivirus_Services

 

Why can't I just use the first rule?  What am I missing? 

 

Thanks!

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎02-06-2015 06:05 PM

Hi Robert-

Checkout the following link:

http://networkengineering.stackexchange.com/questions/5196/how-to-use-tcp-udp-objects-in-a-single-acl

Let us know if you still have any questions/issues

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Robert Sealey
Level 1
Level 1
In response to nspasov

‎02-09-2015 05:27 PM

Going off of your link, I tried creating my rule as follows but got an error:

access-list ACL_Group_IN extended permit ip object-group Antivirus_Services object-group Isolated_Workstations object-group Anitivirus_Server 

 

This places the services object group first, per your linked article, but it still fails.

I'm testing on an ASA5505 with 9.22 code.

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Robert Sealey

‎02-09-2015 06:14 PM

Try it again but without specifying "ip" after the permit statement. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Review Cisco Networking for a $25 gift card
Top