01-17-2008 08:31 PM - edited 03-11-2019 04:50 AM
Hi,
I have a strange problem where an object-group was created and applied to an access-list as below on line 12. An access from 10.10.214.0/24 to 203.1.254.23 failed to work eventhough the access-list permits it. Entering line 13 below (a repeat of 10.10.214.0/24) works fine.
access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23 0x5e808afd
access-list acl_test line 12 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846
access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0xd1686d86
access-list acl_test line 12 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
Since it doesn't work, line 12 was removed from acl_test
no access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23
After line 12 above was removed, line 13 on acl_test above failed to work.
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
Since access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23
failed to work I have re-entered
access-list acl_test permit ip object-group test_g2 host 203.1.254.23 (as below)
and it works again with the access-list on line 13 being hit (see below)
access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
access-list acl_test line 13 extended permit ip object-group upr_g2 host 203.1.254.23 0x5e808afd
access-list acl_test line 13 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=1) 0xd1686d86
access-list acl_test line 13 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739
How can the problem above be rectified? Will removing and re-entering the statement below work?
nat (inside) 1 access-list acl_test
TIA.
PF
01-23-2008 09:06 AM
Such problem usually happen when FWSM is running in multi context mode with multiple vlans in same context. Check if running in multi context is not causing the problem.
01-23-2008 01:34 PM
Amritpatek,
Multi context is not activated. It is running as a single firewall with multiple interfaces/vlans.
Thanks.
PF
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide