Hi,
I have a strange problem where an object-group was created and applied to an access-list as below on line 12. An access from 10.10.214.0/24 to 203.1.254.23 failed to work eventhough the access-list permits it. Entering line 13 below (a repeat of 10.10.214.0/24) works fine.
access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23 0x5e808afd
access-list acl_test line 12 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846
access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0xd1686d86
access-list acl_test line 12 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
Since it doesn't work, line 12 was removed from acl_test
no access-list acl_test line 12 extended permit ip object-group test_g2 host 203.1.254.23
After line 12 above was removed, line 13 on acl_test above failed to work.
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
Since access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23
failed to work I have re-entered
access-list acl_test permit ip object-group test_g2 host 203.1.254.23 (as below)
and it works again with the access-list on line 13 being hit (see below)
access-list acl_test line 12 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=2) 0xd1686d86
access-list acl_test line 13 extended permit ip object-group upr_g2 host 203.1.254.23 0x5e808afd
access-list acl_test line 13 extended permit ip 10.10.118.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x3f9a2846
access-list acl_test line 13 extended permit ip 10.10.214.0 255.255.255.0 host 203.1.254.23 (hitcnt=1) 0xd1686d86
access-list acl_test line 13 extended permit ip 10.10.217.0 255.255.255.0 host 203.1.254.23 (hitcnt=0) 0x18fcf739
How can the problem above be rectified? Will removing and re-entering the statement below work?
nat (inside) 1 access-list acl_test
TIA.
PF
