cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
432
Views
0
Helpful
2
Replies

FWSM Strange behavior on access-list

pokwan
Level 1
Level 1

Hi,

I have a strange problem where an object-group was created and applied to an access-list as below on line 12. An access from 10.10.214.0/24 to 203.1.254.23 failed to work eventhough the access-list permits it. Entering line 13 below (a repeat of 10.10.214.0/24) works fine.

access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23 0x5e808afd

access-list acl_test line 12 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846

access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0xd1686d86

access-list acl_test line 12 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

Since it doesn't work, line 12 was removed from acl_test

no access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23

After line 12 above was removed, line 13 on acl_test above failed to work.

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

Since access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23

failed to work I have re-entered

access-list acl_test permit ip object-group test_g2 host 203.1.254.23 (as below)

and it works again with the access-list on line 13 being hit (see below)

access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86

access-list acl_test line 13 extended permit ip object-group upr_g2 host 203.1.254.23 0x5e808afd

access-list acl_test line 13 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846

access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=1) 0xd1686d86

access-list acl_test line 13 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739

How can the problem above be rectified? Will removing and re-entering the statement below work?

nat (inside) 1 access-list acl_test

TIA.

PF

2 Replies 2

amritpatek
Level 6
Level 6

Such problem usually happen when FWSM is running in multi context mode with multiple vlans in same context. Check if running in multi context is not causing the problem.

Amritpatek,

Multi context is not activated. It is running as a single firewall with multiple interfaces/vlans.

Thanks.

PF

Review Cisco Networking for a $25 gift card