Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
2
Replies

FMT and network object-groups with network ranges?

andrew.butterworth
Level 7
Level 7

‎11-11-2022 03:41 AM - edited ‎11-11-2022 03:42 AM

I'm working with some offline ASA configurations that I need to merge and push as a single file to the FirePower Migration Tool.  It is purely objects, object-groups and ACLs.  I have removed all the NAT configuration as I'll create this manually as there isn't much to it.

I have been manipulating the source configuration file so that the FMT doesn't complain about anything, however I've got four ACL lines that it says are unsupported.  One is a protocol object-group from any source to a destination network object-group, the other three are tcp from a network object-group to a network object-group with destination port https.

 

access-list inside_access_in extended permit object-group XYZ-Ports any object-group XYZ-Cloud-Comms
access-list inside_access_in extended permit tcp object-group XYZ object-group DM_INLINE_NETWORK_143 eq https
access-list inside_access_in extended permit tcp object-group ABC object-group DM_INLINE_NETWORK_144 eq https
access-list inside_access_in extended permit tcp object obj-range-10.1.1.137-140 object-group DM_INLINE_NETWORK_148 eq https

 

Looking at the network object-groups that are referenced the only thing I can see that is common are network range objects within the groups.  Is this a limitation of the FMT?

0 Helpful
2 Replies 2

manabans
Cisco Employee
Cisco Employee

‎11-11-2022 04:47 AM

Unfortunately, extended access-list objects don't support range objects. Only host and network objects are supported.
An enhancement has been raised for this https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa73735 

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to manabans

‎11-11-2022 05:29 AM

Thanks for the reply, however that isn't the issue.  I can create the objects and policy manually and ranges are supported in the policy and I've checked on the CLI on a test FTD and can see them

object network obj-range-10.1.1.17-19
 range 10.1.1.17 10.1.1.19
!
access-list CSM_FW_ACL_ advanced permit tcp ifc inside object obj-range-10.1.1.17-19 ifc outside any4 object-group HTTPS rule-id 268436481
access-list CSM_FW_ACL_ advanced permit tcp ifc inside object obj-range-10.1.1.17-19 ifc outside_static_vti_1 any4 object-group HTTPS rule-id 268436481

I'm guessing its just a limitation of the FMT?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card